Skip to main content

April 2021

Flexera One introduced the following new features and enhancements this month.

Automation

Flexera One added the following Automation feature in April 2021.

New Azure cost policies added to Flexera policies

note

This feature is available with Automation (Policies).

Flexera provides a wide variety of policies that you can apply on Day 1 without much investment. All our policies are open source and can be found in our public git repo. Three new Azure Cost Policies were added to Flexera’s List of Policies. For details, refer to the table below.

Cost Policy NameDescription
Azure Hybrid Use Benefit for Linux Server Identifies Linux instances eligible for Azure Hybrid Use Benefit.
Azure Hybrid Use Benefit for SQL Identifies SQL instances eligible for Azure Hybrid Use Benefit.
Azure MCA Reserved Instances Recommendations Sends email notifications when Azure RI Recommendations are identified for MCA customers.Note:These RI Purchase Recommendations are generated by Microsoft Azure.

Flexera One safelist URLs and endpoints

Flexera One added the following enhancement in April 2021.

OKTA domain added

note

This enhancement is listed as part of the Flexera One Safelist URLs and Endpoints.

The OKTA domain *.oktacdn.com was added under the OKTA component listing of the Flexera One Safelist URLs and Endpoints. The *.oktacdn.com domain is used to load scripts and assets on secure.flexera.com and secure.flexera.eu.

IT Asset Management

IT Asset Management added the following new features and enhancement in April 2021.

Microsoft Azure Hybrid benefit allows Bring Your Own License for cloud solution providers

note

This feature is available with IT Asset Management.

IT Asset Management now provides bring-your-own license management for Microsoft Windows Server (Datacenter and Standard editions) and Microsoft SQL Server (Enterprise and Standard editions) under Azure Hybrid Benefit / License Mobility for IaaS installations hosted by cloud service providers.

The Azure Hybrid Benefit (AHB) use rights on Microsoft Server Core and Microsoft Server/Management Core license types grant limited rights to either transfer licenses purchased for on-premises implementations to installations hosted by your cloud service provider; or to reuse those on-premises entitlements simultaneously in the cloud. The rights vary by product (Microsoft Windows Server or Microsoft SQL Server), by edition (Datacenter/Enterprise or Standard), by which cloud service provider (Azure, or other approved providers), and even by the SKU used for purchasing. In all cases, your existing license entitlements must be covered by active Software Assurance to be eligible for these bring your own license (BYOL) rights.

Here is a summary of the IaaS rights, assuming coverage by active Software Assurance on your existing on-premises licenses:

ProductEditionCSPRights
Windows ServerDatacenterAzureSimultaneous use for installations on-premises and Azure public cloud at no additional cost.
StandardAzureA license may be used either on-premises or transferred to the cloud installation.
SQL ServerEnterprise or StandardAzureA license may be used either on-premises or transferred to the cloud installation. To facilitate migration, for a 180-day grace period only, the license may cover installations both on-premises and in the cloud. For every 1 core entitlement on-premises, you get 1 vCore in the cloud, with each VM requiring at least 4 SQL Server core license entitlements assigned.
Enterprise or StandardAny approvedAn on-premises license may be reassigned to the cloud installation (license mobility). For every 1 core entitlement on-premises, you get 1 vCore in the cloud, with each VM requiring at least 4 SQL Server core license entitlements assigned.

The license management enhancements apply only to the Microsoft Server/Management Core and Server Core license types.

Microsoft Server/Management core license type

  • On the Use rights & rules tab of license properties, a new section has been added for Consumption settings for Microsoft Azure.
  • On the Consumption tab of license properties. a new AHB consumed column shows entitlements consumed by Azure instances, and allows comparison with on-premises consumption in the existing Consumed column.

Microsoft Server core license type

  • On the Use rights & rules tab of license properties, a new section has been added for Consumption settings for cloud service providers.
  • Extended existing point rule SQL Server 2016 to cover license mobility for Standard Edition (on-premises) to Standard Edition (cloud)
  • SQL Server 2016's Standard Edition existing point rule that covers license mobility is now available in IT Asset Management.
  • Added a new point rules set SQL Server 2016 Enterprise covering:
    • License Mobility - Enterprise Edition to Enterprise Edition
    • License Mobility - Enterprise Edition to Standard Edition.

Cloud Service Provider Inventory Page has two new columns

  • Windows server AHB identifies whether the license model for each installation is Bring your Own License (BYOL) or Pay As You Go (PAYG)
  • SQL server mobility makes a similar distinction for Microsoft SQL Server.

Devices Tab in application properties has four new columns

  • Inventoried cloud license model
  • Overridden cloud license model
  • Hosed in cloud is a simple Yes/No to assist with filtering
  • Hosted in identifies which cloud service provider, or on-premises, hosts the installation.

New Assign Cloud Service Model button in Device Tab of application properties

In the same tab of application properties, there is a new Assign cloud service model button for manual data entry, or correcting incomplete inventory results. This populates the Overridden cloud license model column, so that the original inventory results and your override are always visible.

Microsoft Windows Server Datacenter BYOL Hybrid Benefit report

A new Microsoft Windows Server Datacenter BYOL Hybrid Benefit report shows potential saving for Window Server Datacenter Edition under simultaneous use rights.

Azure Connector has been enhanced to use the Azure Az module

The Azure connector has been enhanced to use the Azure Az module, allowing it to identify Azure instances running Windows Server Datacenter or Standard and/or SQL Server Enterprise and Standard editions under Azure Hybrid Benefit. Note that, while this Microsoft module allows detection of which license model(s) are in play, it does not allow hardware or software inventory gathering. To add inventory and manage licenses, you need to arrange for separate imports from an inventory tool (such as the FlexNet inventory agent locally installed on the instance, often by having it configured in the base image from which the cloud devices are instantiated).

tip

The enhanced Azure connector does not require any update of your FlexNet Beacon installations. The connector update is distributed automatically through the process of beacon policy updates to your existing inventory beacons. However, it does require that you manually uninstall the previous Microsoft AzureRM module of PowerShell cmdlets, and instead install the current Azure Az module. This is best practice not only to be able to track license models for the Azure Hybrid Benefit, but also because the older module is no longer supported by Microsoft. (You may choose the optimum time to upgrade this Microsoft module, as the previous one continues to run, maintaining earlier functionality [only, without future enhancements] with the upgraded inventory beacon and Azure connector.)

Oracle Automatic Storage Management no longer inventoried and no longer hangs

note

This enhancement is available with IT Asset Management.

Oracle APIs require an account with sysadmin privileges for collecting inventory for Oracle Automatic Storage Management (ASM), and it can be problematic to have an account with such high-level privileges set aside for that purpose. Previously in IT Asset Management, the attempt to collect this inventory with a typical inventory-gathering Oracle account would hang for lack of those privileges; with the unpleasant side effect of preventing further Oracle inventory collection as well. This was all the more frustrating since Oracle ASM has no license impact—as Oracle's documentation says, “Oracle ASM is free to use with all Oracle databases and Oracle ACFS file systems.”

Therefore, IT Asset Management no longer attempts to take inventory of Oracle ASM, and you do not need a highly-privileged account to work around those requirements. Instead, IT Asset Management simply steps past any attempt to connect to Oracle ASM, and continues with other rules for collecting inventory from Oracle Database and other options.

Oracle Database inventory in Amazon Relational Database Service for Bring Your Own License

note

This feature is available with IT Asset Management.

The Amazon connector supplied with every inventory beacon has been radically updated with this release. While the method of using the connector has not changed, it now does much more than collecting data on Amazon EC2 instances. It also now automatically collects listener and services information on instances of Oracle Database running in Amazon Relational Database Service (RDS). When this information is uploaded to the central application server, IT Asset Management automatically creates a discovered device record (which allows you to use standard inventory collection rules to take inventory of the related Oracle Database installation), and a linked inventory device record with which to associate the resulting inventory.

For some enterprises, there are multiple Oracle Database installations running in various regions of AWS. To optimize management of your Oracle Database inventory, each inventory beacon (running version 16.3.0 or later of FlexNet Beacon) now has a new Cloud regions tab. In a manner parallel to dedicating an inventory beacon to a particular subnet, the new tab allows you to dedicate a particular inventory beacon to taking Oracle Database inventory from within one (or very few) AWS region(s). This lets you limit load on your network and inventory beacons when the scheduled rule triggers inventory collection from these cloud-based installations of Oracle Database. Each inventory beacon then makes a direct connection to its Oracle Database installation(s) and collects the inventory, ready for inclusion into your nightly archives of reports suitable for Oracle Global Licensing and Advisory Services (GLAS).

This functionality is particularly useful for those using BYOL to license their Oracle Database installations in Amazon RDS – that is, repurposing license entitlements originally purchased to authorize an on-premises installation to now cover an installation hosted by this cloud service provider. It may be of less interest to those using PAYG licensing, where Amazon licenses the software and includes the license cost in the monthly subscription.

For those needing to track license consumption, the upgraded connector even manages to populate the inventory device record with the number of threads dedicated to the virtual machine running the Oracle Database. This count of Threads (or, in Oracle's terms, vCPUs) allows for full license consumption calculations without requiring additional inventory sources to flesh out the remaining hardware (and other software) inventory – a unique capability in the area of direct inventory collection.

Prerequisites and set-up are basically unchanged:

  • You use the same processes to configure and run the Amazon connector.
  • As for all beacon-driven direct inventory collection from Oracle Database installations, you still register the appropriate Oracle credentials in the Password Manager store on each inventory beacon.
  • You still use a Discovery and inventory rule (or an Inventory only) rule to schedule and trigger the direct inventory collection. The inventory is automatically uploaded and included in each night's license consumption calculations.

IT Visibility

IT Visibility added the following new feature in April 2021.

New IT Visibility Cloud Inventory page lets you view discovered cloud resources

note

This feature is available with IT Visibility.

The new IT Visibility Cloud Inventory page (navigate to IT Visibility > Cloud Inventory) allows you to search and view discovered cloud resources.

Flexera One Plugin Catalog is a container for all the plugins that cloud admins can register in your organization. For more information, refer to the Viewing Cloud Inventory section of the Flexera One Help.

SaaS Management

SaaS Management added the following enhancements in April 2021.

Import Jobs API supports license differentiation

note

This enhancement is available with SaaS Management.

The Application Roster is one of the supported tasks for the Import Jobs API. The Application Roster now includes the stock-keeping unit (SKU) field, which is an array of SKUs (or Licenses) assigned to a user (for example, "ACROBAT_PRO_DC", "ADOBE_ANALYTICS"). The SKUs are used for license differentiation. For details, refer to the Task Example and JSON Description for the Supported Task - Application Roster section of SaaS Data Payload.

info

A stock-keeping unit (SKU) is a standardized value provided by the software vendor. The app user requires valid SKU identifiers to provide string identifiers for product names. For an example, refer to Microsoft’s Product Names and Service Plan Identifiers for Licensing.

AppDynamics integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the AppDynamics integration instructions.

Information stored

The Application Roster integration task stores the following information:

  • Email
  • Display Name

Minimum permissions required

The AppDynamics Roles and Permissions reference link was updated.

Application Roster API endpoint

The following API endpoint was added.

https://<<accountURL>>/controller/api/rbac/v1/users/<<User Id>>

BlueJeans Video Communications integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the BlueJeans Video Communications integration instructions.

  • Information stored
  • Authentication method
  • Application Access API endpoint

Information stored

The Application Access integration task now stores the Email field.

Authentication method

The authentication method for integrating BlueJeans Video Communications with SaaS Management is OAuth2 with Client Grant Type. For details, refer to BlueJeans’ Support documentation Authentication Methods for BlueJeans Meetings API Endpoints.

Application Access API endpoint

The API endpoint has been updated to the following:

https://api.bluejeans.com/v1/enterprise/<EnterpriseID>/indigo/meetings

Box integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the Box integration instructions.

  • Information stored
  • Authentication method
  • Credentials required

Information stored

The Box Application Access integration task now stores the email field.

Authentication method

The authentication method for integrating Box with SaaS Management is OAuth2 with Authorize Flow. For details, refer to the Box instructions in Access Token Object.

Credentials required

The following note was added.

note

Username and Password are required only for authorization. These values are not stored in SaaS Management.

Bugsnag integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the Bugsnag integration instructions.

  • Information stored
  • Authentication method

Information stored

The Application Access integration task now stores the User ID field.

Authentication method

The authentication method for integrating Bugsnag with SaaS Management is Token Based. For details, refer to the Authentication section of the Bugsnag Data Access API documentation.

Cisco Umbrella integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the Cisco Umbrella integration instructions.

  • Information stored
  • Minimum permissions required

Information stored

The Application Access integration task now stores the User ID field.

Minimum permissions required

Full Admin user role is required to generate API keys.

Creative Cloud integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the Creative Cloud integration instructions.

  • Information stored
  • Authentication method

Information stored

The Creative Cloud Application Roster integration task now stores the User ID field.

Authentication method

The authentication method for integrating Creative Cloud with SaaS Management is JSON Web Token. For details, refer to Adobe’s Authentication for API Access.

Domo activity data

note

This enhancement is available with SaaS Management.

The Domo integration now stores more information about the type of activity data, including the event details with the object name. The Domo API Authentication Document provides further clarification for authenticating using OAuth2 with Client Credentials.

Dropbox integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the Dropbox integration instructions.

  • Information stored
  • Minimum permissions required
  • Authentication method
  • Credentials required
  • API endpoints

Information stored

The following information is now stored in Dropbox.

  • Application Roster task now stores the Active Date.
  • Application Access task now stores the User ID.

Minimum permissions required

The Minimum Permissions Required section was updated to clarify the minimum API required permissions based on the Dropbox scopes required and the user role.

Authentication method

The authentication method for integrating Dropbox with SaaS Management is OAuth2 with Authorize Flow. For details, refer to the Dropbox OAuth Guide.

Credentials required

The following note was added.

note

Username and password are required only for authorization. These credentials are not stored in SaaS Management.

API endpoints

The following Dropbox API endpoints are now available.

Application Roster

https:// api.dropboxapi.com /2/team/members/list

Application Access

https:// api.dropboxapi.com/2/team_log/get_events

Expense (Coupa) integration updates

note

This enhancement is available with SaaS Management.

Coupa’s API Key Security documentation was added as a reference to the Minimum Permissions Required section. For details, refer to the Expense (Coupa) integration instructions.

Expense (SAP) integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the Expense (SAP) integration instructions.

  • Information stored
  • Minimum permissions required
  • Authentication Method
  • Integrating SAP Concur with SaaS Management
  • Expense Discovery API endpoints

Information stored

The following integration tasks were updated.

  • Application Roster
  • Expense discovery

Application Roster

User ID was replaced with the Employee ID/Login ID.

Expense discovery

Owner Login ID was added.

Category was replaced with Expense Type Name.

Minimum permissions required

The Minimum Permissions Required section for the Expense (SAP) integration instructions was updated to clarify the minimum API required permissions based on the SAP Concur scope and user role.

Authentication Method

The authentication method for integrating Expense (SAP) with SaaS Management is OAuth2 with password grant type. For details, refer to the Company Level Authentication section of SAP Concur's documentation.

Integrating SAP Concur with SaaS Management

SAP Concur currently only supports integrating in the United States with a "us" production account and a "us-impl" implementation account.

Expense Discovery API endpoints

The following API endpoints were added.

  • https://www.concursolutions.com/api/v3.0/expense/reports
  • https://implementation.concursolutions.com/api/v3.0/expense/reports

Fastly integration updates

note

This enhancement is available with SaaS Management.

Notes are no longer stored as part of the Application Access integration task. For details, refer to the Fastly integration instructions.

Microsoft Application integration updates

note

This enhancement is available with SaaS Management.

The Azure, Dynamics 365, and Office 365 integration instructions were updated. For details, see:

  • Information stored
  • Minimum permissions required
  • Authentication method
  • Credentials required

Information stored

The following integration tasks now store additional information.

  • Azure application discovery
  • Azure SSO application Roster
  • Azure SSO Application Access
  • Dynamics 365 and Office 365 Application Roster
  • Dynamics 365 application access

Azure application discovery

The following information was added:

  • App Instance ID
  • Additional Details (open_access, publisher, oauth2Integration)

Azure SSO application Roster

App Instance ID was added.

Azure SSO Application Access

Occurred was replaced with Last Login.

Notes was replaced with Login Location.

Dynamics 365 and Office 365 Application Roster

User ID was replaced with User ID (User Principal Name).

Dynamics 365 application access

User ID was replaced with User ID (User Principal Name).

Minimum permissions required

This section was updated to provide Microsoft's description of the Application Administrator user role

Authentication method

The authentication method for integrating Azure, Dynamics 365, and Office 365 with SaaS Management is OAuth2 with Authorize flow. For details, refer to Microsoft's instructions in Microsoft identity platform and OAuth 2.0 authorization code flow.

Credentials required

The following note was added.

note

Username and Password are required only for authorizing the application permissions. These values are not stored in SaaS Management.

Microsoft Applications with Client Credentials integration updates

The Azure Client Credentials, Dynamics 365 Client Credentials, and Office 365 Client Credentials integration instructions were updated. For details, see:

  • Information stored
  • Minimum permissions
  • Authentication method

Information stored

The following integration tasks now store additional information.

  • Azure Client Credentials application discovery
  • Azure Client Credentials SSO Application Roster
  • Azure Client Credentials SSO Application Access
  • Dynamics 365 and Office 365 Client Credentials Application Roster
  • Dynamics 365 Client Credentials application access
Azure Client Credentials application discovery

The following information was added:

  • App Instance ID
  • Additional Details (open_access, publisher, oauth2Integration)
Azure Client Credentials SSO Application Roster

App Instance ID was added.

Azure Client Credentials SSO Application Access

Occurred was replaced with Last Login.

Notes was replaced with Login Location.

Dynamics 365 and Office 365 Client Credentials Application Roster

User ID was replaced with User ID (User Principal Name).

Dynamics 365 Client Credentials application access

User ID was replaced with User ID (User Principal Name).

Minimum permissions required

This section was updated to provide Microsoft's description of the Application Administrator user role

Authentication method

The authentication method for integrating Azure, Dynamics 365, and Office 365 with SaaS Management is OAuth2 with Authorize flow. For details, refer to Microsoft's instructions in Microsoft identity platform and OAuth 2.0 authorization code flow.

OneLogin integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the OneLogin integration instructions.

  • Information stored
  • Minimum permissions
  • Authentication method
  • API endpoints

Information stored

The stored information for the SSO Application Access and Application Discovery integration tasks have been updated. See the following details.

SSO Application Access

  • User ID
  • Occurred (SSO log in to the App)
  • App ID
  • SSO Name

Application Discovery

  • App ID
  • SSO Name

Minimum permissions

The Minimum Permissions Required section for the OneLogin integration instructions was updated to clarify the minimum API required permissions based on the OneLogin scope and user role.

Authentication method

The authentication method for integrating OneLogin with SaaS Management is OAuth2 Client Credentials. For details, refer to the OneLogin instructions in Client Credentials Grant.

API endpoints

All of the OneLogin API endpoints were updated. Refer to the following.

Application Roster

https://api.<<Hosted-Region>>.onelogin.com/api/2/users

Application Access and SSO Application Access

https://api.<<Hosted-Region>>.onelogin.com/api/2/events

SSO Application Discovery

https://api.<<Hosted-Region>>.onelogin.com/api/2/apps

SSO Application Roster

https://api.<<Hosted-Region>>.onelogin.com/api/2/apps/<<App-ID>>/users

PractiTest integration updates

note

This enhancement is available with SaaS Management.

The PractiTest API Tokens documentation was added as a reference to the Minimum Permissions Required section. For details, refer to the PractiTest integration instructions.

Salesforce integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the Salesforce integration instructions.

  • Minimum permissions required
  • Authentication method
  • Credentials required
  • Application Roster and Application Access API endpoint
  • Reclamation API endpoint

Minimum permissions required

Salesforce SaaS application integration issues have occurred due to permissions issues. In response, the Minimum Permissions Required section for the Salesforce integration instructions was updated to clarify the minimum API required permissions based on the Salesforce scopes required and the Salesforce user role.

Authentication method

The authentication method for integrating Salesforce with SaaS Management is OAuth2 with Authorize Flow. For details, refer to the Salesforce instructions in OAuth 2.0 Web Server Flow for Web App Integration.

Credentials required

The Admin username and password was replaced with the following: “Username and password of the user with necessary minimum permissions.”

The following note was added.

note

Username and password are required only for authorization. These credentials are not stored in SaaS Management.

Application Roster and Application Access API endpoint

The following API endpoint was updated.

Reclamation API endpoint

For the Salesforce Reclamation API endpoint:

https://<<SalesforceInstance>>.salesforce.com/services/data/v48.0/composite/batch

Refer to the Salesforce documentation regarding all User Deactivation Considerations (billing and license, record access, etc.).

Slack integration updates

note

This enhancement is available with SaaS Management.

The following sections were updated in the Slack (for Enterprise Grid) and Slack (for Workspace) integration instructions.

  • Information stored
  • Minimum permissions required
  • Authentication method
  • Credentials required
  • Application Roster API endpoint

Information stored

The Slack (for Workspace) integration stores the following information:

  • Billable Status for the Application Roster task
  • User ID for the Application Access task

The Slack (for Enterprise Grid) integration stores the following Application Access fields:

  • User ID
  • Last Login

Minimum permissions required

The Minimum Permissions Required section was updated to clarify the minimum API required permissions based on the Slack scopes required and the user role.

Authentication method

The authentication method for integrating Slack with SaaS Management is OAuth2 with Authorize Flow. For details, refer to the Slack instructions Using OAuth 2.0.

Credentials required

The following note was added.

note

Username and Password are required only for authorization. These values are not stored in SaaS Management.

Application Roster API endpoint

The correct Application Roster API endpoint is: https://api.slack.com/scim/v1/Users.