The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

license allocation based on AD groups

adrian_ritz1
By
Level 10

Hello Community,

Flexera in the latest release , have a new feature where you can create reports based on ad groups and allocate that report to a license.

https://docs.flexera.com/FlexNetManagerSuite2023R2/EN/Features/index.html#FeatureList/2023R1-3/RN-new-ADGrpObject.html

In the past we used powershell scripts to gather the users and the with business adaptor to allocate or deallocate the users.

The question is, do the new feature from Flexera work with nested groups? Because the customer have nested groups in AD, and this is a big problem.

Thank you for your support and I wish you a nice day.

(7) Replies

JohnSorensenDK
By Moderator Moderator
Moderator

@adrian_ritz1 

The allocation of users will take place based on them being direct members of the AD group. I.e., the functionality will not interrogate nested AD groups in this context. (I'm not sure if that fits your use cases in context of "...work with nested groups" or not...)

Thanks,

nrousseau1
By Level 10 Champion
Level 10 Champion

Hello Adrian,

I confirm What John say, Level 1 AD groups to users link have been used for the AD Group Object.

Going through nested groups was a nightmare performance. Another reason we did not reflect nested groups is that there is an option, group per group, to inherit rights from parent groups. Not sure how we can manage this.

I just checked... and we did not document this in the feature announcement https://docs.flexera.com/fnms/EN/Features/index.html#FeatureList/2023R1-3/RN-new-ADGrpObject.html

Apologies for this.

Best regards,

Nicolas

Nicolas Rousseau

nrousseau1_0-1712053176398.png

 

 

 

 

 

 

 

 

Nicolas Rousseau
Licensing Architect
https://www.nrsamconsulting.com

Hi Nicolas, 

it's really a great feature, but how about device license and allocation by reports?

Seeking for analogy, I would assume that I simply can create the device report, based on the security group in AD, but in the current config it seems to be impossible. When I select Inventory device object in the Report Builder, I cannot select AD Groups later on.

Is there anything we can do to overcome this problem? AD groups  *for devices* would be beneficiary for automated allocation and exemption.

Best regards,

Piotr

nrousseau1
By Level 10 Champion
Level 10 Champion

Hello @piotrmichnowski ,

That's true AD groups for devices have not been investigated. It would be good to open an idea on that. I just checked and the data is already stored in the FNMSCompliance tables and would have personally no issue creating the link between Inventory Device and AD Group as a reporting Object if you are on premise... I created the code for the user AD groups, this should be fast.

This will open to the possibility of Intelligent Allocations, Exemptions or Restrictions for devices using their AD Group (level 1) membership.

Happy to discuss this if you want by email nrousseau@nrsamconsulting.com.

Best regards,

Nicolas

Nicolas Rousseau
Licensing Architect
https://www.nrsamconsulting.com

piotrmichnowski
By
Level 3

My context is FlexeraONE.

I've created the workaround - device report which is referring (indirectly) to the security group.

Since in current setup the only possible relationship with AD Group is for user, I used the Calculated user as a proxy. Now the structure is as follows:

First object needs to be Inventory device, then:

  • calculated user
  • ... and here comes  AD group

Using this trick, I'm selecting machines to be automatically exempted from some licenses.

But definitely, the possibility of using the security groups directly, when the group members are computers and not users, whould make this story much easier - I'm eagerly waiting for such feature in FlexeraONE.


Best reagards,

P

nrousseau1
By Level 10 Champion
Level 10 Champion

Thanks @piotrmichnowski ,

I would have expected computers security groups to be different from user's one (but I have never administrated users and computers in AD). I am glad the (calculated) user's AD groups can be of use.

Thanks for sharing.

Nicolas Rousseau
Licensing Architect
https://www.nrsamconsulting.com

piotrmichnowski
By
Level 3

The idea should be pretty simple: in AD security group you may keep different objects, and sometimes it makes sense, but in essence we would like to keep:

  • user-related groups (e.g., to allocate the user-based licenses)
  • computer-related groups (to allocate device-based licenses, but also to  exempt the machines based on the membership )

Naturally, it's only quite simplified approach, but could be enough to automate allocation and exemption processes quite heavily.
Perhaps we simply need to create the feature request in FlexeraONE.

Best regards,

Piotr