Creating an Account

Note:This process registers accounts in IT Asset Management so that they may be assigned to roles that control their access and privileges.

IT Asset Management supports the following types of accounts:

Account Types

Type

Description

Interactive Account

An account that enables an operator to log into IT Asset Management and use its features. To access any part of the product, an operator account must be enabled and assigned to one (or more) role(s). An enterprise typically has several interactive operator accounts.

Tip:Operators may log into interactive accounts using either:

Your chosen identity provider, such as Okta, if your enterprise has implemented single sign-on with a SAML 2.0-compliant tool (for more about configuring single sign-on, see Authentication in the System Reference.
An interface managed through Flexera Account Management.

Individual operator accounts may be configured with either method, so that you can mix-and-match the security methods to suit your needs.

Service Account

Enables access to IT Asset Management through the web API service. An enterprise typically needs one service account. To access IT Asset Management through a web API service, you must have:

A license for the API Integration option—Go to the IT Assets License page (Administration > IT Asset Management Settings > IT Assets License) and look for the value of the FNMP API Integration enabled option. The value Yes indicates that you have this license.
A service account—Required to access IT Asset Management through its web API interface. A service account is assigned to the Web Service role. You cannot log in to Flexera One with a service account (that is, it is not an interactive account).

To create an account, perform the following steps.

To create an account:

1. Log in to IT Asset Management as an operator with administrator privileges.
2. Go to the IT Asset Accounts page (Administration >IT Asset Management Settings > IT Asset Accounts).

The All Accounts tab of the IT Asset Accounts page displays.

3. Click Create an account.

The result depends on your system's configuration. Where more than one kind of account is possible, a drop- down appears:

If your enterprise has not implemented single sign-on with a SAML 2.0-compliant tool, the drop-down includes a choice for Interactive account. Clicking this choice opens a Flexera Account Management page in a separate browser tab.
If your enterprise does have a single sign-on solution, the drop-down includes two choices for:
The Interactive SAML account (using your chosen identity provider). Clicking this choice opens the Account Properties page.
The Interactive Flexera Account (using Flexera Account Management). Clicking this choice opens a Flexera Account Management page in a separate browser tab.

You may choose either option, as best suits the particular account you are creating.

If your enterprise has licensed the API Integration (as described above), another option for Service account is included. Clicking this choice opens a Flexera Account Management page in a separate browser tab.

With neither a SAML implementation nor API integration, only one choice for a Flexera interactive account is possible, so there is no drop-down. In this case, clicking the button opens a Flexera Account Management page in a separate browser tab.

Here is the same information summarized in tabular form:

SAML

API

Drop-Down Option

Leads To

See

No

Yes

Interactive account

Flexera Account Management page in a separate browser tab

Step 4 

Yes

Either

Interactive SAML account

Account Properties

Step 5 

Interactive Flexera Account

Flexera Account Management page in a separate browser tab

Step 4 

Either

Yes

Service account

Flexera Account Management page in a separate browser tab

Step 4 

No

No

No drop-down options; click the button.

Flexera Account Management page in a separate browser tab

Step 4 

4. If you have been directed to the Flexera Account Management page:
a. Enter the account details.

An asterisk (*) indicates a mandatory field.

b. If this account is for an operator who should have administrator privileges, select the Account Administration check box.

With this setting, when you save the account details, the operator account is created in IT Asset Management and automatically assigned to the Administrator role. Other operators (non-administrators) are not automatically assigned to any role, and therefore cannot log into IT Asset Management until an administrator assigns at least one role to their account. A service account is automatically assigned to the Web Service role.

c. Click Save.

An account is created within Flexera Account Management, and the account details are automatically passed back to IT Asset Management and added to the list of accounts. For operator accounts, you may select this account in the listing, and further adjust the roles assigned to it as required.

5. If you have been directed to the Account Properties page (registering an interactive account to be used with your SAML-compliant identity provider):
a. In the Account text field, enter the operator's email address recognized by both your identity provider and IT Asset Management for this account.

Enter these details with care, as once they are saved they cannot be altered, and the account cannot be deleted from IT Asset Management (it can only be disabled). Notice that this property is the identifier asserted by your identity provider to IT Asset Management, which for typical identity providers, may be independent of the login method you prescribe for your operators using single sign-on accounts. For example, an operator could log in to Okta with an employee number, and Okta would then assert the operator's email address to identify the operator to IT Asset Management.

Tip:If you are migrating existing accounts to your SAML identity provider, it is best practice wherever possible to enter the same Account value (which in IT Asset Management 2020 R2, must be an email address). This allows the SAML identity provider to link with and reuse the existing account within IT Asset Management, so that you are not left with a number of 'orphaned' accounts in IT Asset Management that are no longer in use but cannot be deleted.

b. Optionally, enter the Name, Email, and Job title to clearly identify this operator within IT Asset Management.
c. If everything is in order for this operator to start work, ensure that the Status value is Enabled.
d. Select a role for this account from the Role drop-down list.

You must select a role to enable the account to use IT Asset Management. A service account is assigned to the Web Service role. A human operator may be assigned to multiple roles, and then has access to the set of all privileges provided by all those roles. If one assigned role allows a privilege, and another assigned role has Deny setting for the same privilege, the denial wins. To add additional roles for this operator, click the + icon beside the field.

e. Click Save.

The account is saved in the IT Asset Management compliance database. However, there is no communication of these details to your SAML identity provider. You must set up the account in your identity provider in the usual way, being very careful to enter exactly the same details as you provided for the Account field. Once the operator logs in through your identity provider, the identity provider and the service provider (IT Asset Management) are fully synchronized for this account.

Tip: In the All Accounts listing, the column showing the Account values is labeled Login.