Adopted: Accounts and Privileges

IT Asset Management (Cloud)

The complete FlexNet Inventory Agent deployed automatically through the inventory beacons has distinct security requirements for different phases, and across different platforms.

Platform Deployment (adoption by inventory beacon) Operations

Platform	Deployment (adoption by inventory beacon)	Operations
Windows	On the target device, a Microsoft service account with local administrator rights to allow for software installation. Optionally, this account may be any of: A unique account for every target inventory device An account known in common to a logical group of target devices A domain administrator account that has installation rights on all target devices. In each case, the account credentials must be saved in the Password Manager on the adopting inventory beacon. (The Password Manager allows for filtering credentials against a group of devices, for example by pattern matching against machine names.) Tip: If you choose to use a highly-privileged account, such as a domain administrator, you might also choose to remove it from the Password Manager when all target devices have been adopted. (If you choose this approach, it is best practice when removing the account to disabled any targets that include a setting to adopt target devices, since adoption will fail without an appropriate privileged account.) You may also need to restore the account into the Password Manager to allow for future adoption of newly-added target devices.	FlexNet Inventory Agent runs as the local SYSTEM account. On computers running Windows operating systems, manually executed processes should be run with local administrator rights.
UNIX-like platforms	An account that allows `sudo` elevation without requiring an interactive password. Installation of the package for FlexNet Inventory Agent requires `root` level privileges. Warning: The user name of the operating system account must not include a hash (`#`) character, as this causes a failure when attempting to upload the generated `.ndi` files to the application server.	When the FlexNet Inventory Agent has been deployed automatically through adoption, it must run as `root` for all its services on the local device. On computers running Unix-like operating systems, manually executed processes should generally be run: As `root` on computers where the FlexNet inventory agent is configured to run in default operation mode. As the `flxrasvc` user where the FlexNet inventory agent is configured to run in least privilege operation mode. The following security settings apply: The `/var/opt/managesoft` directory is only accessible by `root`. The `/opt/managesoft/lib` and `/opt/managesoft/libexec` folders are completely locked down to root only. The `/opt/managesoft/bin` folder is open to all, to allow easy access to the path of the executables in the folder when using privilege escalation tools like `sudo`. The executables in the `/opt/managesoft/bin` folder are locked down to root only. The `/opt/managesoft/documentation` and `/opt/managesoft/software tag` folders are readable by all.

Windows

On the target device, a Microsoft service account with local administrator rights to allow for software installation. Optionally, this account may be any of:

A unique account for every target inventory device
An account known in common to a logical group of target devices
A domain administrator account that has installation rights on all target devices.

In each case, the account credentials must be saved in the Password Manager on the adopting inventory beacon. (The Password Manager allows for filtering credentials against a group of devices, for example by pattern matching against machine names.)

Tip: If you choose to use a highly-privileged account, such as a domain administrator, you might also choose to remove it from the Password Manager when all target devices have been adopted. (If you choose this approach, it is best practice when removing the account to disabled any targets that include a setting to adopt target devices, since adoption will fail without an appropriate privileged account.) You may also need to restore the account into the Password Manager to allow for future adoption of newly-added target devices.

FlexNet Inventory Agent runs as the local SYSTEM account.

On computers running Windows operating systems, manually executed processes should be run with local administrator rights.

UNIX-like platforms

An account that allows sudo elevation without requiring an interactive password. Installation of the package for FlexNet Inventory Agent requires root level privileges.

Warning: The user name of the operating system account must not include a hash (#) character, as this causes a failure when attempting to upload the generated .ndi files to the application server.

When the FlexNet Inventory Agent has been deployed automatically through adoption, it must run as root for all its services on the local device.

On computers running Unix-like operating systems, manually executed processes should generally be run:

As root on computers where the FlexNet inventory agent is configured to run in default operation mode.
As the flxrasvc user where the FlexNet inventory agent is configured to run in least privilege operation mode.

The following security settings apply:

The /var/opt/managesoft directory is only accessible by root.
The /opt/managesoft/lib and /opt/managesoft/libexec folders are completely locked down to root only.
The /opt/managesoft/bin folder is open to all, to allow easy access to the path of the executables in the folder when using privilege escalation tools like sudo.
The executables in the /opt/managesoft/bin folder are locked down to root only.
The /opt/managesoft/documentation and /opt/managesoft/software tag folders are readable by all.

IT Asset Management (Cloud)

Current