cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FNMS Operators roles from AD Groups

Hi, does anybody can share scenario of managing FNMS operators roles by membership in AD groups?

Thx!

(5) Replies
ChrisG
By Community Manager Community Manager
Community Manager

The attached sample adapter could be used as a starting point for implementing a process such as the following with FlexNet On-Premises:

  1. Arrange to export relevant AD group membership information to a CSV file named C:\Temp\ADOperatorRoles.csv. This file should have the following columns: MemberName, Mail, RoleName (see the details in the adapter to understand which fields in FlexNet these columns map to).
  2. Run the adapter to import the role membership information from the CSV file.
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

With PowerShell you can easily pull user objects from a group with:

Get-ADGroupMember -Identity <GroupName>

Add some filtering:

Get-ADGroupMember -Identity <GroupName> | Select-Object name,SamAccountName

And export it to CSV:

Get-ADGroupMember -Identity <GroupName> | Select-Object name,SamAccountName | Export-Csv <FileName> -NoTypeInformation

On related note.. what is the good way to automatically remove operator access?

From what I know there is sp GroupExDeleteGroupMembership that should do it. Anyone used it before in such scenario?

I am already doing some automation for Named User licenses, based on AD groups. There it's safe to remove allocations, directly for allocations table with Custom SQL, but Operator is slightly more complicated.

Hi Jan,

You could just go and disable the operator in the ComplianceOperator table by setting the "IsEnabled" flag to "0".

Or, if you want to completely remove them, you could use the stored procedures

  • ComplianceOperatorRemoveByID
  • ComplianceOperatorRemoveBatch

Because you are referring to group memberships, if you plan to change the operator scope/restriction, keep in mind that removing all business units / locations / cost centers will result in global access.

Best regards,

Markward

Hi,

Another option would the implementation of Single Sign-on with SAML. This way you can grant access via the Identity Provider on group level. (only if your IP supports authentication on group level)

More information about SAML can be found on the FNMSSystemReference.pdf.

Stefan