cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User Blacklisting and User Statuses/Compliance

dbeckner
By Level 10 Champion
Level 10 Champion

Does Flexera have any plans to add more UI support for User Blacklisting or updating a user's status?

Currently you can only blacklist based on AccountName, but there are use cases where you might blacklist based on other criteria e.g. DisplayName, Domain, or email. 

For user statuses it would be helpful to be able to set to inactive in bulk or to set the compliance status to "No" similar to how you can bulk Ignore inventory devices under the all inventory tab. I know you can change a user status using an adapter, but there are times it is simpler to do so in the UI.

 

TYA.

(1) Solution

I'm not aware of many requests to add additional user blocking like this, but you may wish to consider adding this in the Ideas section of the community. Select the Product > Ideas menu option to be taken to this section to be able to log your own ideas and vote on other people's ideas.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

View solution in original post

(12) Replies
mfranz
By Level 17 Champion
Level 17 Champion

Hi,

We usually implement this in Business Imports. Are you running FNMS on premises?

Best regards,

Markward

@mfranz Yes we are using the on-prem version of FNMS. I understand that using a business adapter is a method for this, but it would be nice if there was something similar to the ability to ignore users like there is for inventory devices with the "ignore" button.

Agreed, that could be useful.

But then again, ideally FNMS would reflect what has been decided/done in the leading system. From my experience, FNMS should not be the leading system on users/accounts. Also I wouldn't recommend a manual process with 40k users. I would also think that reasons why users were disabled, etc. may need to be tracked, which is not exactly a strength of FNMS.

Definitely agree with you there. Thanks for your input.

I'm not aware of many requests to add additional user blocking like this, but you may wish to consider adding this in the Ideas section of the community. Select the Product > Ideas menu option to be taken to this section to be able to log your own ideas and vote on other people's ideas.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

@ChrisG @mfranz I've been researching into the Compliance Database for other ways to potentially blacklist users. I attached a screenshot of several stored procedures that reference user blacklisting. Have ya'll implemented any business adapters or direct updates on the database that leverage these SPs?

I have a couple thousand accounts that are getting imported through the OOTB AD adapter and SCCM that are non-person entities and we want to set their compliance to "No" so they are not counted against license consumption for CALs and other licenses.

Just looking for some thoughts/discussion into whether you guys think this would be possible leveraging the stored procedures.

 

Hi Dan,

Most of these are just getter and setter functions, you could instead just access the actual data table.

I have rarely worked with the blacklist in the past, because it is a constant process updating it and false positives can be a pain. I prefer managing the actual data sources/data flow, more of a whitelist approach:

  • Prevent unfiltered/uncontrolled user data flow into FNMS

It depends on the data sources/technology used, what makes sense here. I usually disable the AD import via the Beacon (exemption: XenApp). I also *fix* inventory readers (like SCCM), to not import any users.

  • Build a single, structured, transparent, easy to follow user import, ideally including the whole user status lifecycle (create - update - disable - delete)

Typical filters would include specific organizational units (like not in "Admins"), missing/existing attributes (like must have an email address), useraccountcontrol (don't import users disabled in AD), etc.

Best regards,

Markward

@mfranz Since you disable the import on the beacon do you have a separate process for importing the Sites and Subnets?

I was considering disabling the SCCM user import. How do you create the calculated user at that point? Or do you still capture the last logged on user field?

When you perform the user deletion in your lifecycle - do you delete from ImportedUsers_MT and ComplianceUsers_MT or can you just delete from one? This is an interesting one we have considered as well. Perform a comparison during our import of which users still exist in AD vs what we have in FNMS and then deleted the ones or set to inactive those that are no longer there.

Appreciate the discussion here. This is a major pain point across my customers.

LastLoggedOn & CalculatedUser are attributes of the ImportedComputer. As long as these values can be mapped to existing ComplianceUsers during the Writer, you're fine. Of course, SCCM might provide users you have purposefully not imported. That information is then lost in the process.

If you consequently manage users via business imports and completely shut off the inventory readers, there are no ImportedUsers to manage. I just delete from ComplianceUser.

An exemption might be M365 and such cloud stuff, but I usually can ignore the ImportedUsers in these cases.

Fantastic. I am definitely going to do some testing and see if this gives us more accuracy for users.

Do you not worry about Sites and Subnets coming from the AD Beacon import or do you import those another way?

It really depends on the use case.

  • For vCenter inventory, I usually just create a site and the required subnets manually and do updates as the customer infrastructure changes. Imo this is a manual process anyway, like if there's a new vCenter, there's little chance an automated discovery will find it (because fiewalls and stuff).
  • I have a customer still scanning Oracle the "legacy" way. There's a mix of tnsnames.ora creation, import and updating subnets as needed.
  • At least one of our customers has business imports automatically creating sites and subnets. Not completely sure if they use it for software metering.

What do you use sites & subnet for currently?

That makes alot of sense. We have always just used the Beacon AD Import because it was available in conjunction with the custom User adapter for mapping corporate units/cost centers. The OOTB AD import of course brought in the sites and subnets, but outside of remote execution which is typically just the vCenter inventory we have no use for that data in the tool since we are not using zero-footprint inventory or adoption.

It makes sense to just add the subnets needed for the beacon to gather the remote inventory when the need presents itself.

This has been a great discussion and I appreciate your information and insight. It is helpful to see how others operate to help me refine our process.