User information in FNMS

rwiltshire asked a question.

May 8, 2020 at 5:20 PM

Looking for some input from the community regarding fnms user info.

Currently, our user information is sourced from the out of box AD connection. The oob connection populates minimal information and also creates a user for any/all AD accounts.

Questions:

1. Does FNMS need a user for every AD account? Service accounts, administrative accounts? Our company has regular user and administrative accounts for several employees (multiple ad accounts for single user).

2. Is it best practice to keep the oob AD user information? Or build custom business adapter to employee HR database?

FlexNet Manager Suite On-Premises

Top Rated Answers

0_erwinlindemann
6 years ago
Hi Rob,
FNMS does not need a user for service accounts or administrative accounts. For eliminating at least some of these administrative accounts, the list of users imported from Active Directory is filtered by an "Exclusion list". This will eliminate standard Windows users like 'ASPNET', 'IUSR_%' etc before creation of users in FNMS.
You can view the standard exclusion list from the FNMS Web UI under "Admin (cogs) > System Settings > Users". In case you have access to the [FNMSCompliance] database, you can modify and extend this list using the [UserNameBlacklist] table.
And yes, it is best practice to use the OOTB Active Directory user information. For adding additional user attributes, a business adapter should be used.
There is some documentation on building such a business adapter in the "Business_Adapter_Practice_Guide" available from the Learning Center. In addition to the latest 4.0 version of this document, I find the previous 2.0 version (see attachment) helpful, too.

Expand Post
Selected as Best

All Answers

0_erwinlindemann
6 years ago
Hi Rob,
FNMS does not need a user for service accounts or administrative accounts. For eliminating at least some of these administrative accounts, the list of users imported from Active Directory is filtered by an "Exclusion list". This will eliminate standard Windows users like 'ASPNET', 'IUSR_%' etc before creation of users in FNMS.
You can view the standard exclusion list from the FNMS Web UI under "Admin (cogs) > System Settings > Users". In case you have access to the [FNMSCompliance] database, you can modify and extend this list using the [UserNameBlacklist] table.
And yes, it is best practice to use the OOTB Active Directory user information. For adding additional user attributes, a business adapter should be used.
There is some documentation on building such a business adapter in the "Business_Adapter_Practice_Guide" available from the Learning Center. In addition to the latest 4.0 version of this document, I find the previous 2.0 version (see attachment) helpful, too.

Expand Post
Selected as Best
- rwiltshire
  6 years ago
  Thanks for the reply.
  I am looking at filtering out accounts not needed and enriching the user records with information from our HR database.
  
  Why is it best practice to use AD for the base record vs an HR database?
  
  Thanks again.
  Expand Post
  - ChrisG (Flexera Software)
    6 years ago
    @rwiltshire - that is a great question!
    The concept of a "user" in FlexNet Manager Suite more closely and naturally matches the concept of a "user" in Active Directory (i.e. a login account) than a "person" in an HR database. Another way to think of it is that FlexNet Manager Suite user records primarily correspond to accounts used for logging on to or accessing systems, O365 accounts, etc. Each person in an HR database will often have multiple accounts (such as across AD domains, or even within a single domain). In a mature and comprehensive reflection of this there would often be multiple user records in FlexNet Manager Suite (representing their multiple accounts) for the one person. There will also be accounts used on systems (and therefore user records in FlexNet Manager Suite and Active Directory) which do not directly map to a single unique person.
    So on this basis, AD is typically used as a primary source for identifying users. Information from an HR database is often used to augment those records by setting additional properties on them, but HR databases do not typically provide a list of accounts that each person has.
    Hope that makes sense!
    Expand Post
    rwiltshire
    6 years ago
    That is a great reply Chris.
    
    Thank you very much for the clarity.
    Expand Post