Adopted: Accounts and Privileges

IT Asset Management (Cloud)
The complete FlexNet Inventory Agent deployed automatically through the inventory beacons has distinct security requirements for different phases, and across different platforms.
Platform Deployment (adoption by inventory beacon) Operations

Windows

On the target device, a Microsoft service account with local administrator rights to allow for software installation. Optionally, this account may be any of:
  • A unique account for every target inventory device
  • An account known in common to a logical group of target devices
  • A domain administrator account that has installation rights on all target devices.
In each case, the account credentials must be saved in the Password Manager on the adopting inventory beacon. (The Password Manager allows for filtering credentials against a group of devices, for example by pattern matching against machine names.)
Tip: If you choose to use a highly-privileged account, such as a domain administrator, you might also choose to remove it from the Password Manager when all target devices have been adopted. (If you choose this approach, it is best practice when removing the account to disabled any targets that include a setting to adopt target devices, since adoption will fail without an appropriate privileged account.) You may also need to restore the account into the Password Manager to allow for future adoption of newly-added target devices.

FlexNet Inventory Agent runs as the local SYSTEM account.

UNIX-like platforms

An account that allows sudo elevation without requiring an interactive password. Installation of the package for FlexNet Inventory Agent requires root level privileges.

Warning: The user name of the operating system account must not include a hash (#) character, as this causes a failure when attempting to upload the generated .ndi files to the application server.

When the FlexNet Inventory Agent has been deployed automatically through adoption, it must run as root for all its services on the local device.

The following security settings apply:

  • The /var/opt/managesoft directory is only accessible by root.
  • The /opt/managesoft/lib and /opt/managesoft/libexec folders are completely locked down to root only.
  • The /opt/managesoft/bin folder is open to all, to allow easy access to the path of the executables in the folder when using privilege escalation tools like sudo.
  • The executables in the /opt/managesoft/bin folder are locked down to root only.
  • The /opt/managesoft/documentation and /opt/managesoft/software tag folders are readable by all.

IT Asset Management (Cloud)

Current