Does Flexera have any plans to add more UI support for User Blacklisting or updating a user's status?
Currently you can only blacklist based on AccountName, but there are use cases where you might blacklist based on other criteria e.g. DisplayName, Domain, or email.
For user statuses it would be helpful to be able to set to inactive in bulk or to set the compliance status to "No" similar to how you can bulk Ignore inventory devices under the all inventory tab. I know you can change a user status using an adapter, but there are times it is simpler to do so in the UI.
TYA.
‎Apr 26, 2021 10:47 AM
I'm not aware of many requests to add additional user blocking like this, but you may wish to consider adding this in the Ideas section of the community. Select the Product > Ideas menu option to be taken to this section to be able to log your own ideas and vote on other people's ideas.
‎Apr 27, 2021 11:36 PM
Hi,
We usually implement this in Business Imports. Are you running FNMS on premises?
Best regards,
Markward
‎Apr 27, 2021 01:13 AM
@mfranz Yes we are using the on-prem version of FNMS. I understand that using a business adapter is a method for this, but it would be nice if there was something similar to the ability to ignore users like there is for inventory devices with the "ignore" button.
‎Apr 27, 2021 08:38 AM
Agreed, that could be useful.
But then again, ideally FNMS would reflect what has been decided/done in the leading system. From my experience, FNMS should not be the leading system on users/accounts. Also I wouldn't recommend a manual process with 40k users. I would also think that reasons why users were disabled, etc. may need to be tracked, which is not exactly a strength of FNMS.
‎Apr 27, 2021 08:46 AM
Definitely agree with you there. Thanks for your input.
‎Apr 27, 2021 08:55 AM
I'm not aware of many requests to add additional user blocking like this, but you may wish to consider adding this in the Ideas section of the community. Select the Product > Ideas menu option to be taken to this section to be able to log your own ideas and vote on other people's ideas.
‎Apr 27, 2021 11:36 PM
@ChrisG @mfranz I've been researching into the Compliance Database for other ways to potentially blacklist users. I attached a screenshot of several stored procedures that reference user blacklisting. Have ya'll implemented any business adapters or direct updates on the database that leverage these SPs?
I have a couple thousand accounts that are getting imported through the OOTB AD adapter and SCCM that are non-person entities and we want to set their compliance to "No" so they are not counted against license consumption for CALs and other licenses.
Just looking for some thoughts/discussion into whether you guys think this would be possible leveraging the stored procedures.
‎Jan 21, 2022 09:14 AM
Hi Dan,
Most of these are just getter and setter functions, you could instead just access the actual data table.
I have rarely worked with the blacklist in the past, because it is a constant process updating it and false positives can be a pain. I prefer managing the actual data sources/data flow, more of a whitelist approach:
It depends on the data sources/technology used, what makes sense here. I usually disable the AD import via the Beacon (exemption: XenApp). I also *fix* inventory readers (like SCCM), to not import any users.
Typical filters would include specific organizational units (like not in "Admins"), missing/existing attributes (like must have an email address), useraccountcontrol (don't import users disabled in AD), etc.
Best regards,
Markward
‎Jan 21, 2022 10:27 AM
@mfranz Since you disable the import on the beacon do you have a separate process for importing the Sites and Subnets?
I was considering disabling the SCCM user import. How do you create the calculated user at that point? Or do you still capture the last logged on user field?
When you perform the user deletion in your lifecycle - do you delete from ImportedUsers_MT and ComplianceUsers_MT or can you just delete from one? This is an interesting one we have considered as well. Perform a comparison during our import of which users still exist in AD vs what we have in FNMS and then deleted the ones or set to inactive those that are no longer there.
Appreciate the discussion here. This is a major pain point across my customers.
‎Jan 21, 2022 10:32 AM
LastLoggedOn & CalculatedUser are attributes of the ImportedComputer. As long as these values can be mapped to existing ComplianceUsers during the Writer, you're fine. Of course, SCCM might provide users you have purposefully not imported. That information is then lost in the process.
If you consequently manage users via business imports and completely shut off the inventory readers, there are no ImportedUsers to manage. I just delete from ComplianceUser.
An exemption might be M365 and such cloud stuff, but I usually can ignore the ImportedUsers in these cases.
‎Jan 21, 2022 10:42 AM
Fantastic. I am definitely going to do some testing and see if this gives us more accuracy for users.
Do you not worry about Sites and Subnets coming from the AD Beacon import or do you import those another way?
‎Jan 21, 2022 10:44 AM
It really depends on the use case.
What do you use sites & subnet for currently?
‎Jan 21, 2022 01:10 PM
That makes alot of sense. We have always just used the Beacon AD Import because it was available in conjunction with the custom User adapter for mapping corporate units/cost centers. The OOTB AD import of course brought in the sites and subnets, but outside of remote execution which is typically just the vCenter inventory we have no use for that data in the tool since we are not using zero-footprint inventory or adoption.
It makes sense to just add the subnets needed for the beacon to gather the remote inventory when the need presents itself.
This has been a great discussion and I appreciate your information and insight. It is helpful to see how others operate to help me refine our process.
‎Jan 25, 2022 07:25 AM