IT Asset Management (Cloud)
Note: This process registers accounts in IT Asset Management so that they may be
assigned to roles that control their access and privileges.
IT Asset Management supports the following types of accounts:
- Interactive account: An account that enables an operator to log into
IT Asset Management and use its features. To access any part of the
product, an operator account must be enabled and assigned to one (or more)
role(s). An enterprise typically has several interactive operator
accounts.
Tip: Operators may log into interactive accounts
using either:
- Your chosen identity provider, such as Okta, if your
enterprise has implemented single sign-on with a SAML
2.0-compliant tool (for more about configuring single sign-on,
see the Authentication chapter in the IT Asset Management System Reference PDF, available at https://docs.flexera.com/)
- An interface managed through Flexera
Account Management.
Individual operator accounts may be configured with either method,
so that you can mix-and-match the security methods to suit your needs.
- Service account: Enables access to IT Asset Management through
the web API service. An enterprise typically needs one service account. To
access IT Asset Management through a web API service, you must have:
- A license for the API Integration option: Go to the IT Assets License page and
look for the value of the FNMP API Integration
enabled option. The value
Yes indicates that you have this
license.
- A service account: Required to access IT Asset Management through its web API interface. A service account is assigned to
the Web Service role. You cannot log in
to IT Asset Management
web interface with a service account (that is, it is not
an interactive account).
To create an account:
-
Log in to IT Asset Management as an operator with administrator
privileges.
-
Go to the IT Asset Accounts page.
The All Accounts tab displays.
-
Click Create an account.
The result depends on your system's configuration. Where more than one kind of
account is possible, a drop-down appears:
- If your enterprise has not implemented single sign-on with a SAML
2.0-compliant tool, the drop-down includes a choice for
Interactive account. Clicking this choice
opens a Flexera Account Management page in a
separate browser tab.
- If your enterprise does have a single sign-on solution, the drop-down
includes two choices for:
- The Interactive SAML account (using your
chosen identity provider). Clicking this choice opens the
Account Properties page.
- The Interactive Flexera Account (using
Flexera Account Management).
Clicking this choice opens a Flexera Account
Management page in a separate browser tab.
You may choose either option, as best suits the particular account
you are creating.
- If your enterprise has licensed the API Integration (as described
above), another option for Service account is
included. Clicking this choice opens a Flexera Account
Management page in a separate browser tab.
With neither a SAML implementation nor API integration, only one choice for
a
Flexera interactive account is possible, so there
is no drop-down. In this case, clicking the button opens a
Flexera
Account Management page in a separate browser tab.
Here is the
same information summarized in tabular form:
SAML |
API |
Drop-down option |
Leads to |
See |
No
|
Yes
|
Interactive account |
Flexera Account Management page in a
separate browser tab
|
Step 4 |
Yes
|
Either |
Interactive SAML account |
Account Properties |
Step 5 |
Interactive Flexera
Account |
Flexera Account Management page in a
separate browser tab |
Step 4 |
Either
|
Yes
|
Service account |
Flexera Account Management page in a
separate browser tab |
Step 4 |
No
|
No
|
No drop-down options; click the button.
|
Flexera Account Management page in a
separate browser tab |
Step 4 |
|
-
If you have been directed to the Flexera Account
Management page:
-
Enter the account details.
An asterisk (*) indicates a mandatory
field.
-
If this account is for an operator who should have administrator
privileges, select the Account Administration
check box.
With this setting, when you save the account details, the operator
account is created in IT Asset Management and automatically
assigned to the Administrator role. Other
operators (non-administrators) are not automatically assigned to any
role, and therefore cannot log into IT Asset Management until an
administrator assigns at least one role to their account. A service
account is automatically assigned to the Web
Service role.
-
Click Save.
An account is created within Flexera Account Management, and the
account details are automatically passed back to IT Asset Management and added to the list of accounts. For operator accounts, you may
select this account in the listing, and further adjust the roles
assigned to it as required.
-
If you have been directed to the Account Properties page
(registering an interactive account to be used with your SAML-compliant identity
provider):
-
In the Account text field, enter the operator's
email address recognized by both your identity provider and
IT Asset Management for this account.
Enter these details with care, as once they are saved they cannot be
altered, and the account cannot be deleted from
IT Asset Management
(it can only be disabled). Notice that this property is the identifier
asserted by your
identity provider to
IT Asset Management,
which for typical
identity providers, may be independent of the
login method you prescribe for your operators using single sign-on
accounts. For example, an operator could log in to Okta with an employee
number, and Okta would then assert the operator's email address to
identify the operator to
IT Asset Management.
Tip: If
you are migrating existing accounts to your SAML identity provider, it is best practice wherever possible to enter
the same Account value (which in IT Asset Management
2024 R2, must be an email address). This allows the
SAML identity provider to link with and reuse the existing
account within IT Asset Management, so that you are not left
with a number of 'orphaned' accounts in IT Asset Management
that are no longer in use but cannot be deleted.
-
Optionally, enter the Name,
Email, and Job title
to clearly identify this operator within IT Asset Management.
-
If everything is in order for this operator to start work, ensure that
the Status value is
Enabled.
-
Select a role for this account from the Role
drop-down list.
You must select a role to enable the account to use IT Asset Management. A service account is assigned to the
Web Service role. A human operator may
be assigned to multiple roles, and then has access to the set of all
privileges provided by all those roles. If one assigned role allows a
privilege, and another assigned role has
Deny setting for the same privilege,
the denial wins. To add additional roles for this operator, click the
+ icon beside the field.
-
Click Save.
The account is saved in the
IT Asset Management
compliance database. However, there is no communication of these
details to your SAML
identity provider. You must set up the
account in your
identity provider in the usual way, being very
careful to enter exactly the same details as you provided for the
Account field. Once the operator logs in
through your
identity provider, the
identity provider and
the service provider (
IT Asset Management) are fully synchronized
for this account.
Tip: In the All
Accounts listing, the column showing the
Account values is labeled
Login.
IT Asset Management (Cloud)
Current