Flexera One Roles
The Flexera One Administration module enables you to manage users, user groups, and roles across Flexera One accounts. Roles and accounts are scoped to an Organization, allowing greater control across multiple Flexera One accounts for performing management actions (like granting user roles).
An Organization is a container for settings, users, and accounts. The name of the Organization is shown in the Organization selector on the top right of the page in Flexera One. For existing customers, we have automatically created an Organization based on your Organization master account.
The following tables provide descriptions of each role available in Flexera One, categorized by logical capability groups:
• | Automation |
• | Cloud Cost Optimization |
• | Discovery and Inventory |
• | IT Asset Management |
• | IT Visibility |
• | Other |
• | Platform Administration |
• | Self-Service CloudApps. |
The following table describes Flexera One roles used with Flexera One Automation. For additional information, refer to Getting Started with Automation.
Role |
Description |
Approve policies |
Full access to approve remediation actions for policy incidents, but this role doesn't configure the policies. |
Create policies |
Full access to develop custom policies (or customizes pre-built policies) by writing Policy Template code. This user has the ability to design and develop their own templates and test them in the accounts they have access to. Once a template is deemed ready for the organization to use, this user works with the policy publisher to make the policy available in the Policies Catalog. |
Manage policies |
Full access to control which policies are applied to the scopes they have access to and how those policies behave. |
Publish policies |
Full access to modify which policies are available in the Policies Catalog, either by publishing policies built by policy designers, or by hiding policies that are pre-built from Flexera. |
View policies |
Read-only access to view dashboard, incidents, and applied policies. |
The following table describes Flexera One roles used with Cloud Cost Optimization. For related information, refer to Getting Started with Cloud Cost Optimization.
Role |
Description |
Administer cloud |
Ability to send and receive account invitations, add/change public/private cloud infrastructures and credentials, modify user permissions, and accept account group invitations. This role is also needed to view and generate Infrastructure Audit Reports, view Customer Usage Reports, and to set account markups and markdowns. |
Manage bill adjustments |
Full access to manage bill adjustments in Cloud Cost Optimization. |
Manage bill ingestion |
Full access to manage the ingestion of public, private and custom cloud billing data using the Common Bill Ingestion (CBI) feature. |
Manage billing centers |
Full access to configure Billing Centers and management of user access to Billing Centers. Full read access except to Bill Adjustments and registration of billing data. |
Manage budget |
Full access to manage budgets and view cloud billing data. |
Manage cloud |
Full access to all features and functionality in Cloud Cost Optimization. This includes the ability to manage user access to Billing Centers, register new billing data (such as AWS), configure Billing Centers, Bill Adjustments, custom dimensions, recommendations, currency, and organization dashboards. |
Manage cloud components |
Ability to create cloud specific components such as ServerTemplates, RightScripts, MultiCloud Images, Repositories, Credentials, and Alert Escalations. You will need this permission to perform actions within the Design menu of the Cloud dashboard. With this permission you can also browse the MultiCloud Marketplace (MCM) from within the RightScale Dashboard for ServerTemplates and RightScripts, but you will need the Manage marketplace imports role in order to import an object from the MCM. You can also view publicly-viewable assets in the MultiCloud Marketplace. |
Manage cloud dashboard |
Full access to manage public and default custom Cloud Cost Optimization Dashboards. |
Manage cloud infrastructure |
Ability to manage all cloud related activity. You need Manage cloud infrastructure privileges in order to act on resources and services at the cloud infrastructure level such as launch/terminate servers, create volumes and snapshots, and run scripts on running servers. You will also need this permission to create and manage deployments and server arrays. |
Manage cloud security |
Ability to manage network and firewall permissions that are used by instances in the cloud. You will need this permission in order to create security groups and define individual firewall rules within those security groups. You will also need this permission in order to create Virtual Private Clouds (VPCs) and subnets. Only trusted users should be granted this permission. You will also be able to view and generate Infrastructure Audit Reports. |
Manage custom dimensions |
Full access to manage custom tags in Cloud Cost Optimization. |
Manage groups & share objects |
Ability to create sharing groups and share cloud objects (ServerTemplates, RightScripts, and Macros) with other users. If you have a partner account, you can publish cloud objects so that they appear in the MultiCloud Marketplace. |
Manage Linux servers |
Ability to execute 'sudo' on running servers. (Applies to Linux-based (not Windows) servers only.) Similar to the Manage cloud security role, only trusted users should be granted this permission. You will still need the Manage running servers role in order to start an SSH/RDP session. |
Manage marketplace imports |
Ability to import from the MultiCloud Marketplace library. |
Manage rule-based dimensions |
Full access to manage rule-based dimensions in Cloud Cost Optimization. |
Manage running servers |
Ability to log into SSH or RDP servers. |
View bill adjustments |
Ability to view bill adjustments (read-only access) in Cloud Cost Optimization. |
View budget |
Ability to view cloud budgets and view cloud billing data. |
View cloud |
Ability to view the cloud accounts. If users do not have at least View cloud role privileges, they will not be able to log into the Dashboard and view the account in Cloud Management. |
View cloud costs |
Full access to user specific dashboards. Read-only access to Cloud billing data, Organization dashboards, recommendations, and reserved instances. Administrators can limit access to specific Billing Centers. |
View credentials |
Ability to view details of credentials that are hidden to other users, this is typically the token issuer and signing key. |
View reserved instances |
Ability to use the Reserved Instances page to view utilization details of reserved instances. |
The following table describes Flexera One roles used for IT Visibility Inventory Tasks for Data Collection:
Role |
Description |
Delete external inventory connections |
Gives permission to delete external inventory connections in IT Visibility. |
Manage discovery & inventory |
View and edit IT Visibility Inventory Tasks and components. Includes the ability to download, configure and delete beacons, create and delete third-party inventory connections, and download installers. |
View discovery & inventory |
View IT Visibility Inventory Tasks . Includes the ability to view the list of beacons, beacon properties and installers, and view and download third-party import statuses. |
The following table describes Flexera One roles used in product areas that work with IT assets. For related information, refer to Getting Started with IT Asset Management, Getting Started with SaaS Management, and Getting Started with IT Asset Requests.
Role |
Description |
Administer licenses, contracts, and purchase orders |
Access to read, create new, edit and delete licenses, contracts, and purchase data in the user interface and with the RESTful API. |
Administer SaaS |
Full access to all SaaS features and functionality. This includes the ability to read, create new, edit, and delete where applicable. If a user has the Administer SaaS role, it is not necessary to assign any other role to the user with respect to SaaS functionality. |
Manage IT asset requests |
Full access to IT Asset Requests admin user interface, IT Asset Requests API, and IT Asset Requests end user in Flexera One. |
Manage IT license reclamation |
Full access to manage IT License Reclamation. |
Manage SaaS applications & users |
Full access to all pages within the applications section of the SaaS navigation, except for unsanctioned spend. A user with this role also has access to all pages of the Users section. This access includes the ability to read, create new, edit, and delete where applicable. |
Manage SaaS import APIs |
Read and edit access to create and manage SaaS import jobs using an API. Administrators should assign SaaS import job service accounts to this role. |
Manage SaaS licenses |
Read and edit access to SaaS and SaaS licenses, including ability to view all users of applications in Flexera One. |
Manage SaaS security |
Full access to manage unsanctioned applications. In addition, this role has read-only access to the SaaS applications, team members list, and audit logs. Users with this role cannot view the SaaS dashboard. |
Request IT assets |
Limited access to IT Asset Requests API, IT Asset Requests application in Flexera One, and no access to IT Asset Requests admin user interface. |
View IT assets |
Access to IT Asset Management. The IT Asset Management application only. To use IT Asset Management, a Flexera One user must also have a corresponding account in IT Asset Management (where more granular IT Asset Management-specific authorizations are granted). For more information, refer to Managing IT Asset Management Accounts. |
View IT assets & call APIs |
Access to IT Asset Management including the ability to call all Flexera REST API endpoints. This Flexera One role provides access to the IT Asset Management Application only. To use IT Asset Management, a Flexera One user must also have a corresponding account in IT Asset Management (where more granular IT Asset Management-specific authorizations are granted). For more information, refer to Managing IT Asset Management Accounts. |
View licenses, contracts, and purchase orders |
Access to viewing of license, contract, and purchase data in the user interface and with the RESTful API. |
View SaaS |
Read-only access to view SaaS dashboard, team members screens and all pages within the applications and users sections of the SaaS Navigation. This user has no creation, editing, or deletion abilities. |
View SaaS applications |
Read-only access to all SaaS applications. This role is suggested for every employee, so they can see which applications are supported by their Organization and who to contact if they want to request a license. An application viewer cannot view the annual spend column in the application. |
The following table describes Flexera One roles used with IT Visibility. For related information, refer to Getting Started with IT Visibility as well as Getting Started with IT Visibility Beacons.
Role |
Description |
Export data |
View and download IT Visibility Data Exports. |
Manage connections |
View and edit IT Visibility Connections. |
Manage dashboards |
Full access to the data explorer to create and save insights. This role also provides the ability to create and edit custom dashboards, as well as copy and edit out of the box dashboards. |
Schedule & export data |
View, download, create and schedule IT Visibility Data Exports. |
View & create insights |
Full access to the data explorer to create and save insights. |
View IT Visibility |
View the IT Visibility Dashboard, download IT Visibility Dashboard data, and view IT Visibility Connections. |
The roles defined in the following table are miscellaneous roles used throughout Flexera One that are not specific to any one product area.
Role |
Description |
Read Technopedia Data |
Ability to access Technopedia datasets via APIs. |
View Technology Spend |
Read-only access to the Technology Spend dashboard. |
View Vendor Workspaces |
Ability to view vendor workspaces. This role also provides a user access to cost APIs at the organization level. Caution:This role’s privileges give access to all cost data. As a result, this role should be granted and used with caution. |
The following table describes Flexera One roles used in administration of the Flexera One platform. For related information, refer to Getting Started with Administration.
Role |
Description |
Administer organization |
Access to the Administration section of Flexera One where the role can be used to invite users, manage user roles, setup single sign-on, and so on. The Administer organization role cannot grant the Manage organization role. |
Manage MSP customers |
Full access to view, edit, and delete organizations on behalf of managed service provider (MSP) customers. |
Manage organization |
Full access to all organization capabilities. This role is used for all actions that require an org-level administrator. |
The following table describes Flexera One roles used with Self-Service CloudApps.
Role |
Description |
Launch & manage cloud apps |
End User privileges in Self-Service to view the Catalog and CloudApps and can launch and manage CloudApps. Users with this role are the primary consumers of Self-Service. |
Manage self-service |
Designer privileges in Self-Service to view the Design menu to upload and publish CATs, manage Schedules, and interact with the Cloud Workflow Console. |
View self-service |
Observer privileges in Self-Service to view the Catalog and run CloudApps, but cannot take any action on them (such as launch or terminate). |