Flexera One Roles

The Flexera One Administration module enables you to manage users, user groups, and roles across Flexera One accounts. Roles and accounts are scoped to an Organization, allowing greater control across multiple Flexera One accounts for performing management actions (like granting user roles).

An Organization is a container for settings, users, and accounts. The name of the Organization is shown in the Organization selector on the top right of the page in Flexera One. For existing customers, we have automatically created an Organization based on your Organization master account.

The following tables provide descriptions of each role available in Flexera One, categorized by logical capability groups:

Automation 
Cloud Cost Optimization 
Discovery and Inventory 
IT Asset Management 
IT Visibility 
Other 
Platform Administration 
Plugins 
Self-Service CloudApps

Automation

The following table describes Flexera One roles used with Flexera One Automation. For additional information, refer to Getting Started with Automation.

Role

Description

Approve policies

Full access to approve remediation actions for policy incidents, but this role doesn't configure the policies.

Create policies

Full access to develop custom policies (or customizes pre-built policies) by writing Policy Template code. This user has the ability to design and develop their own templates and test them in the accounts they have access to. Once a template is deemed ready for the organization to use, this user works with the policy publisher to make the policy available in the Policies Catalog.

Manage policies

Full access to control which policies are applied to the scopes they have access to and how those policies behave.

Publish policies

Full access to modify which policies are available in the Policies Catalog, either by publishing policies built by policy designers, or by hiding policies that are pre-built from Flexera.

View policies

Read-only access to view dashboard, incidents, and applied policies.

Cloud Cost Optimization

The following table describes Flexera One roles used with Cloud Cost Optimization. For related information, refer to Getting Started with Cloud Cost Optimization.

Role

Description

Administer cloud

Ability to send and receive account invitations, add/change public/private cloud infrastructures and credentials, modify user permissions, and accept account group invitations. This role is also needed to view and generate Infrastructure Audit Reports, view Customer Usage Reports, and to set account markups and markdowns.

Manage bill adjustments

Full access to manage bill adjustments in Cloud Cost Optimization.

Manage bill ingestion

Full access to manage the ingestion of public, private and custom cloud billing data using the Common Bill Ingestion (CBI) feature.

Manage billing centers

Full access to configure Billing Centers and management of user access to Billing Centers. Full read access except to Bill Adjustments and registration of billing data.

Manage cloud

Full access to all features and functionality in Cloud Cost Optimization. This includes the ability to manage user access to Billing Centers, register new billing data (such as AWS), configure Billing Centers, Bill Adjustments, custom dimensions, recommendations, currency, and organization dashboards.

Manage cloud components

Ability to create cloud specific components such as ServerTemplates, RightScripts, MultiCloud Images, Repositories, Credentials, and Alert Escalations. You will need this permission to perform actions within the Design menu of the Cloud dashboard. With this permission you can also browse the MultiCloud Marketplace (MCM) from within the RightScale Dashboard for ServerTemplates and RightScripts, but you will need the Manage marketplace imports role in order to import an object from the MCM. You can also view publicly-viewable assets in the MultiCloud Marketplace.

Manage cloud dashboard

Full access to manage public and default custom Cloud Cost Optimization Dashboards.

Manage cloud infrastructure

Ability to manage all cloud related activity. You need Manage cloud infrastructure privileges in order to act on resources and services at the cloud infrastructure level such as launch/terminate servers, create volumes and snapshots, and run scripts on running servers. You will also need this permission to create and manage deployments and server arrays.

Manage cloud security

Ability to manage network and firewall permissions that are used by instances in the cloud. You will need this permission in order to create security groups and define individual firewall rules within those security groups. You will also need this permission in order to create Virtual Private Clouds (VPCs) and subnets. Only trusted users should be granted this permission. You will also be able to view and generate Infrastructure Audit Reports.

Manage custom dimensions

Full access to manage custom tags in Cloud Cost Optimization.

Manage groups & share objects

Ability to create sharing groups and share cloud objects (ServerTemplates, RightScripts, and Macros) with other users. If you have a partner account, you can publish cloud objects so that they appear in the MultiCloud Marketplace.

Manage Linux servers

Ability to execute 'sudo' on running servers. (Applies to Linux-based (not Windows) servers only.) Similar to the Manage cloud security role, only trusted users should be granted this permission. You will still need the Manage running servers role in order to start an SSH/RDP session.

Manage marketplace imports

Ability to import from the MultiCloud Marketplace library.

Manage rule-based dimensions

Full access to manage rule-based dimensions in Cloud Cost Optimization.

Manage running servers

Ability to log into SSH or RDP servers.

View cloud

Ability to view the cloud accounts. If users do not have at least View cloud role privileges, they will not be able to log into the Dashboard and view the account in Cloud Management.

View cloud costs

Full access to user specific dashboards. Read-only access to Cloud billing data, Organization dashboards, recommendations, and reserved instances. Administrators can limit access to specific Billing Centers.

View credentials

Ability to view details of credentials that are hidden to other users, this is typically the token issuer and signing key.

View reserved instances

Ability to use the Reserved Instances page to view utilization details of reserved instances.

Discovery and Inventory

The following table describes Flexera One roles used for IT Visibility Inventory Tasks for Data Collection:

Role

Description

Delete external inventory connections

Gives permission to delete external inventory connections in IT Visibility.

Manage discovery & inventory

View and edit IT Visibility Inventory Tasks and components. Includes the ability to download, configure and delete beacons, create and delete third-party inventory connections, and download installers.

View discovery & inventory

View IT Visibility Inventory Tasks . Includes the ability to view the list of beacons, beacon properties and installers, and view and download third-party import statuses.

IT Asset Management

The following table describes Flexera One roles used in product areas that work with IT assets. For related information, refer to Getting Started with IT Asset Management, Getting Started with SaaS Management, and Getting Started with IT Asset Requests.

Role

Description

Administer licenses, contracts, and purchase orders

Access to read, create new, edit and delete licenses, contracts, and purchase data in the user interface and with the RESTful API.

Administer SaaS

Full access to all SaaS features and functionality. This includes the ability to read, create new, edit, and delete where applicable. If a user has the Administer SaaS role, it is not necessary to assign any other role to the user with respect to SaaS functionality.

Manage IT asset requests

Full access to IT Asset Requests admin user interface, IT Asset Requests API, and IT Asset Requests end user in Flexera One.

Manage IT license reclamation

Full access to manage IT License Reclamation.

Manage SaaS applications & users

Full access to all pages within the applications section of the SaaS navigation, except for unsanctioned spend. A user with this role also has access to all pages of the Users section. This access includes the ability to read, create new, edit, and delete where applicable.

Manage SaaS import APIs

Read and edit access to create and manage SaaS import jobs using an API. Administrators should assign SaaS import job service accounts to this role.

Manage SaaS licenses

Read and edit access to SaaS and SaaS licenses, including ability to view all users of applications in Flexera One.

Manage SaaS security

Full access to manage unsanctioned applications. In addition, this role has read-only access to the SaaS applications, team members list, and audit logs. Users with this role cannot view the SaaS dashboard.

Request IT assets

Limited access to IT Asset Requests API, IT Asset Requests application in Flexera One, and no access to IT Asset Requests admin user interface.

View IT assets

Access to IT Asset Management. The IT Asset Management application only. To use IT Asset Management, a Flexera One user must also have a corresponding account in IT Asset Management (where more granular IT Asset Management-specific authorizations are granted). For more information, refer to Managing IT Asset Management Accounts.

View IT assets & call APIs

Access to IT Asset Management including the ability to call all Flexera REST API endpoints. This Flexera One role provides access to the IT Asset Management Application only. To use IT Asset Management, a Flexera One user must also have a corresponding account in IT Asset Management (where more granular IT Asset Management-specific authorizations are granted). For more information, refer to Managing IT Asset Management Accounts.

View licenses, contracts, and purchase orders

Access to viewing of license, contract, and purchase data in the user interface and with the RESTful API.

View SaaS

Read-only access to view SaaS dashboard, team members screens and all pages within the applications and users sections of the SaaS Navigation. This user has no creation, editing, or deletion abilities.

View SaaS applications

Read-only access to all SaaS applications. This role is suggested for every employee, so they can see which applications are supported by their Organization and who to contact if they want to request a license. An application viewer cannot view the annual spend column in the application.

IT Visibility

The following table describes Flexera One roles used with IT Visibility. For related information, refer to Getting Started with IT Visibility as well as Getting Started with IT Visibility Beacons.

Role

Description

Export data

View and download IT Visibility Data Exports.

Manage connections

View and edit IT Visibility Connections.

Manage dashboards

Full access to the data explorer to create and save insights. This role also provides the ability to create and edit custom dashboards, as well as copy and edit out of the box dashboards.

Schedule & export data

View, download, create and schedule IT Visibility Data Exports.

View & create insights

Full access to the data explorer to create and save insights.

View IT Visibility

View the IT Visibility Dashboard, download IT Visibility Dashboard data, and view IT Visibility Connections.

Other

The roles defined in the following table are miscellaneous roles used throughout Flexera One that are not specific to any one product area.

Role

Description

Read Technopedia Data

Ability to access Technopedia datasets via APIs.

View Technology Spend

Read-only access to the Technology Spend dashboard.

View Vendor Workspaces

Ability to view vendor workspaces. This role also provides a user access to cost APIs at the organization level.

Caution:This role’s privileges give access to all cost data. As a result, this role should be granted and used with caution.

Platform Administration

The following table describes Flexera One roles used in administration of the Flexera One platform. For related information, refer to Getting Started with Administration.

Role

Description

Administer organization

Access to the Administration section of Flexera One where the role can be used to invite users, manage user roles, setup single sign-on, and so on. The Administer organization role cannot grant the Manage organization role.

Manage MSP customers

Full access to view, edit, and delete organizations on behalf of managed service provider (MSP) customers.

Manage organization

Full access to all organization capabilities. This role is used for all actions that require an org-level administrator.

Plugins

The following table describes Flexera One roles used when administering the plugin catalog. For related information, refer to Plugin Catalog Administration.

Role

Description

Manage cloud resources

This role gives admin access (all Create, Replace, Update, and Delete operations) on cloud resources which includes credentials, plugins, and registrations. This role also gives read access to cloud resources in IT Visibility.

Manage plugins

This role gives necessary permissions to be able to operate on plugin templates. Operations allowed on a plugin are: Delete, Index, Make default, Show, and Upload.

Note:These operations are only allowed on plugins uploaded in your organization and will not be allowed on plugins that Flexera providers its customers.

View cloud resources

This role gives read access to cloud resources which includes credentials, plugins, registrations. This role also gives read access to cloud resources in IT Visibility.

Self-Service CloudApps

The following table describes Flexera One roles used with Self-Service CloudApps.

Role

Description

Launch & manage cloud apps

End User privileges in Self-Service to view the Catalog and CloudApps and can launch and manage CloudApps. Users with this role are the primary consumers of Self-Service.

Manage self-service

Designer privileges in Self-Service to view the Design menu to upload and publish CATs, manage Schedules, and interact with the Cloud Workflow Console.

View self-service

Observer privileges in Self-Service to view the Catalog and run CloudApps, but cannot take any action on them (such as launch or terminate).