Managing Operators
- Creating credentials (or identities) for the operators in both IT Asset Management and your current identity provider, whether that be your SAML single sign-on solution or Flexera Account Management (or possibly both if you are in a mixed mode).
- Assigning each operator to the appropriate role. In IT Asset Management, access and privileges are controlled by the Role(s) assigned to an operator. Without a role, an operator cannot view any pages of IT Asset Management, even though a valid identity may be used. Role assignment can only be performed by an administrator (that is, an operator who is already assigned to the Administrator role).
Another minor point may be to manage the expectations of operators using Flexera Account Management if you modify the Timeout period setting in the Security tab of the IT Asset Management Settings General page.
Creating an operator
- As an existing administrator in IT Asset Management, you can create the local
account manually. In the Account field on the Create
an Account page in IT Asset Management, enter the operator's email
address. (This differs from the use of Windows Authentication, where you can select the
account name from a drop-down list, imported from Active Directory.)
- If you are using Flexera Account Management, this is the value that the operator uses to log in.
- If you are using a SAML-compliant single sign-on identity provider (such as Okta), this is the account identity that is passed from your identity provider to IT Asset Management (the service provider) in the identity assertion. This is independent of the user name with which the operator logs into the identity provider.
Tip: If you are planning to migrate identity management from Flexera Account Management to your single sign-on solution, it is very helpful if you can use the same Account value for both identity providers (which must be the operator's email address). This makes it possible to link either identity provider to the same account within IT Asset Management. As a result, you avoid a build-up of disabled accounts that can never be deleted from IT Asset Management. - You can have the
new operator try to log in. When the first attempt is made to log into IT Asset Management with an identity newly-registered in the single sign-on solution,
the matching local account is automatically created in IT Asset Management.
Important: While the local account is automatically created, no roles are assigned to it. As a result, the operator receives a Sign In Failure message on this first login attempt (a secure outcome). To permit access, an administrator needs to add the appropriate role(s) for each new operator. For this reason, if you as administrator want to use this labor-saving approach, it is best done in collaboration with each of the new operators, so that they are not confused by the deliberate failure that, for security reasons, persists until roles are assigned.
Ensuring administrator access
We have seen that operators must be assigned to roles before having access to IT Asset Management; and we have also noted that role assignment can only be performed by an administrator. When you are using your SAML-compliant, single sign-on solution, this could produce a chicken-and-egg situation, where no one can log in to make anyone an administrator.
The solution is that an administrator account (an operator who is assigned to the Administrator role) can be automatically created by an assertion from the SAML identity provider. The Administrator role is the only role that can be automatically assigned as a result of assertion by the identity provider.
To create an administrator automatically, arrange for your identity provider to
include, in the appropriate identity assertion, a custom property called
FnmsAdmin
. This custom assertion needs to return a Boolean value (either
true or false) to indicate
whether the user is to be assigned to the Administrator role in
IT Asset Management.
Attribute | Value |
---|---|
Name | FnmsAdmin |
Name format (optional) | Basic |
Value | isMemberOfGroupName("Administrators") Tip: Function name is case-sensitive.
|
FnmsAdmin
property is configured in your identity provider, it is passed to IT Asset Management, including on the first login
attempt for a new identity. As seen in the previous section above, the first login attempt
with the new identity creates the matching local account in IT Asset Management. When
the assertion says FnmsAdmin
is true, the assignment to the
Administrator role is made automatically, and the initial
login attempt succeeds. (Contrast this with previous comments, that non-administrator
operators see a sign in failure until they have been assigned to one or more roles.)Impact of session timeout
- Log in using Flexera Account Management accounts
- Log in using a SAML-2.0-compliant single sign-on solution (such as Okta), but that
identity provider does not return the optional
SessionNotOnOrAfter
attribute within its assertion (that is, the identity provider does not return any timeout information).
IT Asset Management (Cloud)
Current