Dots Connected #8: Enterprise Groups for slicing your data and your roles - the next step of SAM maturity!

15th of an 18-post series, this “Dots Connected” didactic article gives you best practices on how to use Enterprise Groups (Locations, Corporate Units, Cost Centers, Categories) to efficiently slice your SAM data and allow clever user roles definitions and powerful reporting, driving to SAM Accountability and charge back.

Nicolas Rousseau

10/28/202416 min read

Managing efficiently enterprise groups in your SAM data doesn't sound exciting... but this is a decisive steps towards SAM accountability and charge back!

You have, in the previous "Become a SAM Champion With Flexera Technology" series' posts, learnt how to build the foundations of reliable inventory, correctly configured software licenses, optimized to compute optimal license consumption. You even learned how to optimize your IT architectures to save massive amounts of money... this is time now to contemplate the result...

Just "contemplate"? As you may know already, SAM is anything but a contemplative art... this is this art to answer One Million Dollar questions:

  • Am I compliant?

  • What are my costs?

  • How much could I optimize?

And these questions lead to the next steps: gouvernance and action. Enterprise Groups (locations, corporate units, cost centers), for large organizations provide the meta data that allows to be successful answering and addressing these questions:

  • Who is liable? Who messed up?

  • What processes for our License governance?

  • What should I recharge to whom?

In the end, Enterprise Groups support better transparency and accountability that lead to an healthy, virtuous and cost effective SAM practice.

Charge Back and decentralized license accountability are on top of the SAM Maslow Pyramid.
Charge Back and decentralized license accountability are on top of the SAM Maslow Pyramid.
How Enterprise Groups are created / linked to records
Creating the reference tree for location or corporate units.

This step is important as it will structure your data. Keep in mind there are different dimensions. Don't create Entity A - Europe, Entity A - US, Entity B - APAC. One dimension for entities and one dimension for location will allow efficient data slicing and user access restrictions.

This should be a one time activity for creation. Don't let imports create on the fly entities like in Purchase Orders imports can create vendors or publishers. You will mess up quick the tree structure!

The tree can evolve. This may be a little bit tricky as you can't move Entity A from Parent Entity B to Parent Entity C with a simple drag and drop (and all linked records will follow). What is unique in an Enterprise Group is its path (EMEA/France/Paris). You need to create the new entity under the new parent… and re-link all objects (devices, users, contracts, licenses, purchases) to the new Enterprise Group. This is massive. Best to do so in a SQL script if you are on promise or perform multiple extracts / import with update with the Business Adapter Studio from the beacon if you are on Flexera One ITAM.

Maintaining the links between CIs and entities

Once your corporate units, locations and cost centers tree are created, you need to link the Devices, Contrats, Users and purchase to these entities. This can be at creation time (typically for purchases) or you can regularly sync information with your CMDB when changes can happen. As shared above, keep in ming CI updates should not create new entities if you want to enforce tree consistency.

Using Enterprise Groups for user access: Roles

ITAM, as any good Enterprise application, has user roles that allow the control over what can be seen and done in the UI by operators. There are two principles:

  • Access restrictions that will typically allow a user to see data from Cost Center 123, Location France and Corporate Unit: IT.

  • Functional restrictions: a user in IT may be allowed to browse IT devices (read only), but not edit any records or see any contract, or purchase or have any view on license consumption data. Functional restrictions are out of scope of this post…

The Power Of Data Slicing

SAM data is complex: Physical or virtualized servers, short lived cloud instances, ever changing applications, ephemeral subscriptions, users...

But everything is linked to Enterprise Groups: who operates, who uses... in what location...

Enterprise groups are the precious SAM data dimensions used in Flexera One for

  • User Roles

  • Reporting

  • Licenses scoping

Before we explore each of these features let's start from the beginning: where do we get the enterprise group data and how can we import it into Flexera One ITAM?

What is the source of Enterprise information and how can it be integrated into ITAM?
Flexera One ITAM itself?

In a Flexera SAM Best Practice webinar I delivered on Integrating ITAM with a CMDB, I shared my view: "In SAM, be efficient, be selfish". SAM should be a consumer of the Configuration Management data (status and roles of servers, links to Enterprise Groups) and not the place where the configuration data is carefully and manually managed. The added value of SAM is to save 2 millions on Windows Server data center with optimizing the license consumed according the the Clusters' Windows Server density and not to manage what is where and spend hours trying to reduce the gaps between the expected world and the actual one. This is what a CMDB does.

A CMDB?

Indeed, the tedious but necessary job of managing what is where is normally performed (among many other things) by the CMDB that I have always heard claiming to be "The Universal Source of Truth". Let's use the precious CMDB data, and challenge it too when we have doubts!

Active Directory?

Active directory has extremely rich information, particularly on users (department information). This is very simple with the Business Adapter Studio to integrate with and Active Directory server. This is however the best maintained information I have seen in my SAM Consultant life...

Scripts?

Scripts are an excellent way of automatically keeping the data up to date with computing for instance the computers' locations according to IP address for instance. You can access this Flexera Community KB article I wrote on automatically setting locations with a sequential approach: IP Address, then computer name, then domain name... The innovation was that the article shows how to perform sophisticated scripting in a Cloud environment (no db access).

As you see in the schema on the right, the approach is to read in the Flexera One ITAM instance using REST APIs and performing the complicated job in a local database, before updated back ITAM using the standard Beacon Business Adapter.

Where users' roles are defined.
Where users' roles are defined.
Want to learn more?

I delivered a SAM Best Practice webinar on this exact topic. You can get its details in the Flexera Community and watch the recording on YouTube. All others 32 Webinars are on the SAM Best Practice Flexera YouTube play list.

Here are the ones that are the most relevant to this post:

Example of scripted automation on an ITAM cloud instance.
Example of scripted automation on an ITAM cloud instance.
Business Adapter Studio: Location ID identified in Location Node and used in PO creation node.
Business Adapter Studio: Location ID identified in Location Node and used in PO creation node.
Uncheck these boxes to avoid creating or modifying on the fly the entity reference data.
Uncheck these boxes to avoid creating or modifying on the fly the entity reference data.
The different ways you can create / update entities and their links to CIs.

In the User Interface

Creating new entities is possible from the Location, Corp Units, Cost Center or Category screens.

All SAM records that can be linked to entities have an "ownership" tab.

Using the UI should be limited to case where punctual operations are needed.

Note that many screens (users, inventory devices) allow multi selection for updating for instance location, but this is expected you select only consistent records before you can update. For instances, licenses of the same license type, inventory devices of the same type etc.

Through Business Adapters

Business adapters are the most powerful way to to mass create or update, using interesting recursive creation ("Americas/USA/New York" import will create 3 locations). The screenshot on the right shows how you can first "catch" the Entity ID (using the location patch as matching criteria) and then use the ID to link the purchase order to the location.

Second screenshot show how to uncheck "Update existing Object in the database" or "Create new object in the database" to avoid a PO import to create locations on the fly.

Through scripts as already mentioned.

How it works

General case

users are assigned one or multiple roles. In case a user has multiple roles, he will see the UNION of the objects each roles allows him to see. Let’s say a user is just restricted on Location and can see United States (and children), access restrictions apply to all children always) in one role, United Kingdom in a second one and India in a third… with his three roles, he will see what his function restrictions allow him to see (let’s say IT devices in each of the roles) in the three locations. Now, if one role allows you to see US Location AND Marketing Corporate Unit and UK location and IT for Inventory devices, he will see the UNION of these two groups.

Note that functional rights are a little bit more complex, each role gives right (read / write / modify) on functional domains. Multiple combined roles will give a combined functional access that will take into account the allow / disallow (that prevent locally to the role of accessing a functional domain) / Deny (will prevent from access to the functional domain across roles assigned to the operator).

Special case of licenses:

FlexNet Manager / ITAM has a powerful option on restricting operators’ access to licenses. There are three options as you can see in below screenshot and I strongly recommend option 1 or 3… and my preference goes to 3 as it allows to show all licenses to users. Operators inside the license only see their purchase counts and consumptions their authorized entities. Everyone has his own view of license compliance!

You can be creative to address your special need!

1) Using Categories for Publishers verticalisation

There is no "Publisher" slicing today. An Oracle SAM Manager will see other licenses. I found a way to verticalize by Publisher that may be useful for your SAM Project: Creating a link all objects to categories (= Publishers). One challenge is that some objects have no link in the screen details, but you still can link them! For instance, this is possible to link a purchase to a category through the Business Adapter Studio.

Taking the example of an Oracle SAM Manager:

  • He will see only contracts, purchases and licenses linked to the "Oracle" category he is authorized to see

  • He will also see all inventory devices (unless he has an access restriction on a specific location)... because you will have ensured that you link all your devices to an "Any Publisher" category that you give access to to all SAM Managers.

  • The last thing to ensure is that you give access to the "Software" category to all SAM Managers. Goal here is not to restrict which installations they can see on computers... or this will become more complicated.

  • Provide users 3 roles with same functional rights and each category: Oracle, Any Publisher, and “Software”

2) Managing: "Operated By" and "Used By" using the Corporate units and cost center dimensions in Service Oriented organizations

Are you a Managed Services Provider or an IT organization that “serves” internal customers? There is a really powerful approach I have used in multiple projects to handle the data visibility challenge, for services providers and customers: using a dual “Operated by entity / Used by entity” approach reflected in the Corporate Units and Cost Centers dimensions that have the same tree.

  • The IT team will see the full scope that it manages, across (internal or external) customers.

  • As a customer, IT infrastructure users will the the full IT portfolio they use, whatever provider manages

This assumes you don’t want to use cost center… If you need cost centers and also want the powerfull MSP setup, you can create a Cost Center custom property.

A user can have multiple roles. Each role combines Access restrictions and functional rights.
A user can have multiple roles. Each role combines Access restrictions and functional rights.
Limitations

User access restriction can finish being very complicated if you stratify complex roles… you may finish with unpredictable access to data, or even bugs or weird situations where users create a contract that immediately disappears because they have restrictions that hide the newly created one!

Keep in mind that “NULL” is an enterprise group and that deices will NULL locations will be invisible to all users with restriction on locations. An approach is to set devices that have not been assigned to an Enterprise Group (through CMDB integration or script) to an “Unknown” location, corporate unit or cost center that is visible to anyone.

Some widgets in the Hubs are not accessible to operators with an access restriction, because data cannot be computed (SAM Optimization Hub) or shown with history (Publisher Hub) applying the sometimes-complex access restrictions.

Access restrictions apply to the content of reports, you can however not hide reports to users as reports folders are not related to Enterprise Groups

A last thing you should be aware of is that access restrictions are sometimes managed with views that store the records or counts applying the user restrictions… you may have a latency in some screens just after a reconciliation, a role change or a mass update of data. For instance, cost centers will show some values in the “All Inventory” screen and other values in the computer “ownership” tab of the detail just after a mass update through a Business Adapter Studio update.

Best practice

Keep it simple is the first advice. If you over engineer your user’s roles, you will finish with unexpected behaviors, slow performance or will hit bugs and will spend in the end hours troubleshooting user access issues. A successful approach is to limit the access to the ITAM applications to the small number of true operators who perform day to day SAM activities (create contract, create license, browse data) and provide a controlled read only access to “other stake holders” in Business Intelligence solution (Power BI, or Cognos).

Keep it consistent: a challenge I have seen a lot is that data is coming from different sources and processes and purchases for instance finish in a corporate unit tree that is different from the IT devices one… or the users. With such inconsistency, there will be no way for instance to create a “By Corporate Unit Compliance” or “Charge Back” view.

Using enterprise groups for reporting

Enterprise Groups are now created, users, inventory devices, purchases, licenses, and contracts are now linked to this structuring information. Users have profiles that allow them to see what is authorized to them... and only permitted information.

Let's now get a more granular view of our SAM data: who spent for what licenses, who deployed, who is compliant or not. SAM world is not monolithic: this is not just about what happens externally, toward Microsoft or Oracle. You internal governance demands a "per entity" view of everything. As stated in the introduction of this post: having local accountability and is the best way you can have healthy, virtuous and cost effective license practice. Let's explore ways Flexera One ITAM provides you this "per entity view". This is the power of data slicing!

Keep in mind: best way of filtering all the data is user roles

Before we explore all powerful ways you can slice SAM data, I would like to re-iterate the fact that if you want to slice data and don't want to filter and filter again all screens to understand your full SAM scope in the context of an entity or location... you'd better use specific roles that are restricted than filter information again and again. A user can have multiple AD users (on prem) or email addresses (Cloud) registered in ITAM (no concern on Flexera licenses costs, licensing is per clients / desktop!). Each ITAM account will be adjusted to the scope he can see. Little trick, run Google Chrome in private mode if you are on premises to have the ability to set explicite user and password and skip the integrated Windows authentication.

If you are an ITAM admin and want to limit the number of Flexera accounts, you can have one admin account and another one that you will adjust with your admin account according to the focus you wish.

The three options for licenses consumption management in user roles.
The three options for licenses consumption management in user roles.
You can verticalize per publisher!
You can verticalize per publisher!
Apply Enterprise Group slicing when using ITAM

If your wish is to navigate with full visibility and slice opportunistically to deep dive and understand deeply the situation, you have rich options in ITAM

The Summary screens offer "slicing" capabilities (filtering)

If you open the Publisher Summary, Product Summary and License summary screens, you will see the "Enterprise Filter" button that is available only to users with global access.

This filter allows to slice the license compliance data (including purchase and consumption) in the three available dimensions: Locations, Corporate Units and cost center. The compliance view will switch to each focus you choose!

Note that drilling down to licenses will gibe you the full view in the license detail.

Some dashboards also allow slicing (filtering)

The SAM Operations Hubs provides KPIs to your SAM Data and SAM Processes quality. I had the joy of developing it and the 13 related reports. A Dashboard that each SAM Manager on FlexNet Manager or Flexera One ITAM should check every week!

Ok, so, let's say you have an issue with Orphan VMs, but is the issue general? You can understand what entity messes up with the Enterprise Filter.

The Enterprise Filter applies to the current dashboard but also the KPIs trend widget.

Some screens and reports slice the data (showing all entities)

The license detail assignment tab allows to re-assign entitlements from an entity to another in a chosen dimension (Corporate Units, Locations, Costs Center) selection. I am personally not a big fan of this feature because it presents tracing challenges (you need license per licence to check this tab and the history tab of the licence). My preferences goes to creating "charge back" purchase order lines that re-allocate quantities centrally purchased to local entities. Note that negative quantities (a charge back operation being reflected by a positive and a negative transaction) don't work fine. This is better to decrease the quantity assigned of the central purchase (and quantity allocated to the license) and pass these transferred quantity to a new re-assignement PO Line.

This tab however shows a powerful Enterprise / Sub Enterprise compliance view (see screenshot).

The 3 reports in the Reports/License Compliance/Compliance folder:

  • Licenses Consumed and Purchased by Location

  • Licenses Consumed and Purchased by Corporate Unit,

  • Licenses Consumed and Purchased by Cost Center

provide a cross license view on License Consumption. These are the first of my reports created as a consultant that got productized. They provide a very useful "Charge Back" view of your license consumptions in all dimensions. Costs per right, global and local cost for compliance are provided. Level 1, ..., Level 4 entity are provided to allow easy pivoting and filtering.

Global filters allow to slice any data (entitlements, inventory, license consumption).
Global filters allow to slice any data (entitlements, inventory, license consumption).
c-level dashboard provides the big picture (contracts, costs, risk...).
c-level dashboard provides the big picture (contracts, costs, risk...).
C-level dashboard on big picture.
C-level dashboard on big picture.
The Operations Dashboard provides details on data quality and license optimization.
The Operations Dashboard provides details on data quality and license optimization.
The Operations Dashboard provides details on data quality and license optimization.
The Operations Dashboard provides details on data quality and license optimization.
A (good) business intelligence slices data by nature! NR SAM Consulting Power BI Solution.

The good thing with FlexNet Manager / Flexera ITAM is that is a super SAM powerful engine to manage Purchase, Contracts, Inventory, Recognized Applications, License Consumption.

The other good thing is that you can understand the bits and bytes in rich screens and Web reports that you can build from a very good Report builder wizard where you can add all possible columns using links of links of links if necessary. More information in the Reporting in Flexera One ITAM and FlexNet Manager SAM Best Practice Webinar.

What missing however sometimes is the big picture, with a correct level of depth in an easy technology. There are dashboards in htlm, Cognos comes for free with two dashboards but adoption of the Business Intelligence tool is not universal. Powerful but complex.

NR SAM Consulting have to create a ready to use Power BI Solution that:

  • Extracts the needed SAM Information (Inventory, Contracts, purchases, entity data and license consumption and chargeback information

  • Creates a Power BI data Lake in a SQL Server database and feeds it automatically (Current + history Data)

  • Provides 2 extensive dashboards that can be extended (C-Level Information and Operations)

  • Each widget offers drill down / drill through to understand more details of the list behind the numbers (with link to Flexera One).

The core job of a Business Intelligence solution is to slice information and this is what the global filters does, by entity, Publisher, on premise vs cloud...

The C-level dashboard (first two screenshots) shows the big picture on contracts, purchases, costs, risk... and you can slice this data by all 4 dimensions of the entities and more.

The Operations dashboard (3rd and 4th dashboards) gives all (sliceable) details on data and operations quality, as well as a "cluster oriented" view of license consumption and optimization.

Using Enterprise Groups for license restrictions

This is the last use of enterprise groups we will cover in this long post. Licenses are the license consumption counters and need sometime not to be global... that's where license restrictions bring a powerful answer.

Business need

Unfortunately, not everything is "monobloc" or "uniform" in SAM.

  • Contract may not be Enterprise wise and not allow license transfers between entities (Microsoft Select Agreements for instance between EMEA, Americas and APAC...)

  • You can even have for the same licenses multiple contracts that overlap or not between entities (global and local mixed)

  • The organization of the SAM teams can be decentralized and local SAM Managers may has an interest in "exotic" applications.

In the end, you need to restrict your licenses... often by Corporate Unit or Location. Good thing is that license restrictions offer an easy way to address these licensing constraints.

License restrictions is an efficient answer

Restricting licenses on Location, Corporate Unit and Cost Center dimensions is the historic way you can limit the scope of a licenses. This is performed from the "restriction" tab of a license.

Restriction applied to children and can be combined across dimensions. For instance, creating a restriction on USA and Acme inc. on a SQL Server License will restrict the scope of servers that can consume from this license to any server, from the Acme branch, in any town of USA.

If you add multiple entities of a dimension (Entity A, B and C), you get a union of the restrictions. Across dimensions, you will get the scope to records in the intersection. Keep in mind that too sophisticated combined restrictions represent a risk for excluding all servers for instance!

Intelligent license restriction is even a more efficient answer.

Intelligent restriction has been introduced in 2023 and allows to restrict a license based on a report (on devices or users based on license type). This is way more powerful and opens new possibilities (particularly on License Optimization). You can define the report restriction from the restriction tab of the license.

Similar "intelligent" configurations can be performed in the "Use and Rights" tab of licenses, where you can user reports for allocations and exemptions.