Skip to main content
Organization lets you manage the features that affect the organization’s environment at a global level, from the assignment of the platform name to the configuration of remote assistance.

General

Lets you define generic information about the organization, which can be updated at any time through the Edit button. The data that can be modified is:
  • Name. Name of the organization.
  • Email. Associated email address.
  • Language. Configured language.
  • Country. Country the organization belongs to.
  • Sector. Sector it belongs to.
  • Description. Organization description.
In addition, this section also gives you access to the following information:
  • Members. Number of members the organization has registered on the platform.
  • Products. Number of Flexxible products the organization has contracted.
  • Creation date. Date the organization was registered on the platform.
  • Partner. For customer-type organizations, lets you define the partner or modify it.
  • Type. Organization type assigned to it.

Branding

Facilitates storing information linked to the organization’s brand identity. Clicking the Edit brand settings button opens a form designed to upload files with the organization’s logo and cover image, as well as a palette for defining corporate colors in hexadecimal format. org-branding This section also shows the date and time the information was last updated, along with the name and email of the user who did it.

Microservices

Through its configuration and classification options, it lets you change the name of the folder that contains the end-user microservices and manage the predefined categories. It also displays the date and the name of the user who last updated the information. org-ms-general

Settings

This section shows the name assigned to the end-user microservices folder and whether the option to use predefined categories is enabled.

Folder name

When microservices are enabled for execution by the end user, they are automatically added to a folder on the device called Flexxible; however, this name can be modified. ms_inicio

Change the microservices folder name

  1. Go to SettingsOrganization.
  2. In the left side menu, select Microservices.
  3. Click Edit microservices settings. org-ms-edit
  4. Enter the new name in the Folder name field. The structure must be between 3 and 50 characters and can only contain letters, numbers, hyphens, and underscores. ms-folder-name
  5. Click Save.
If the device runs Windows 11 as its operating system and only one microservice is enabled for an end user, the Flexxible folder will not be displayed; instead, only the microservice icon will be shown in the start menu.ms-w11search

Predefined categories

This functionality allows users with the Organization administrator role to define and manage classification categories for microservices. Configuration can only be performed from the main organization and is automatically inherited by sub-organizations, ensuring consistency and preventing the creation of random categories.

Enable predefined categories

  1. Go to SettingsOrganization.
  2. In the left side menu, select Microservices.
  3. Click Edit microservices settings.
  4. Enable the Use predefined categories toggle. org-ms
  5. Click Save.
When the functionality is active:
  • The Categories section is created automatically, containing a table with the list of the organization’s microservice categories.
ms-categories
  • The categories also appear in the Designer section, so users can only choose from the categories available in the list.
designer-categories

Disable predefined categories

  1. Go to SettingsOrganization.
  2. Select the Microservices tab.
  3. Click Edit microservices settings.
  4. Disable the Use predefined categories toggle.
When this option is disabled, a message is displayed informing the user that all microservices with categories assigned will lose that association, so it will be necessary to reassign categories to them manually. disable-categories

Categories

This tab is enabled only when the predefined categories option is activated. It contains a table with the list of categories and lets you create new ones or delete existing ones.

Create a predefined category

  1. Go to SettingsOrganization.
  2. In the menu, go to MicroservicesCategories.
  3. Click New and enter the name of the new category. new-category
  4. Click Save.
The category name will be displayed both in the table and in the Designer section.

Delete a predefined category

  1. Go to SettingsOrganization.
  2. In the menu, go to MicroservicesCategories.
  3. Select a category from the table and click Delete.
When a category is deleted, the microservices associated with it become uncategorized and it will be necessary to assign them another category manually.

Reports

From this tab you can manage the categories associated with the reports generated in the Create with AI - Reports section, as well as configure the privacy and permissions related to them. reportsOrg The information available in this section is divided into the following sections:
  • Categories
  • Creation and privacy
  • Access to other users’ private reports
  • Scheduling
  • Report categories

Categories

Indicates whether predefined report categories are enabled for the organization.

Creation and privacy

Shows which roles can create private reports and which roles can mark their reports as private.
  • L1 support team
  • L2 support team
  • Organization administrator and L3 engineering team

Access to other users’ private reports

Indicates whether users with the Organization administrator or L3 engineering team role can access private reports owned by other users in read-only mode.

Scheduling

Indicates whether users with the L1 support team and L2 support team roles can configure automatic schedules for their own reports.

Report categories

Displays a table with the report categories defined by the organization. Each record includes the following fields:
  • Name. Category identifier.
  • Description. Descriptive information about the category.
  • Number of queries. Total number of queries made on the reports associated with the category.
  • Created on. Creation date and time.
  • Created by. User who created the category.
  • Updated on. Date and time of the last modification.

Edit settings

To configure report categories and control the behavior related to privacy, access, and scheduling:
  1. Go to SettingsOrganization.
  2. Select the Reports tab.
  3. Click Edit settings. report-editSettings
  4. Fill in the following fields: reports-settingsOrg
  • Categories. Lets you limit the available categories to those defined by the organization, preventing the use of custom (ad hoc) names.
  • Reports - Access governance. Lets you control who can create private reports and configure schedules. Sub-organizations inherit this configuration from the main organization.
  • Creation and privacy. Lets you define which roles can create reports and whether private reports are available for the Organization administrator and L3 engineering team.
    • Allow L1 support team to create reports (private only).
    • Allow L2 support team to create reports (private only).
    • Allow the Organization administrator and L3 engineering team roles to mark reports as private.
  • Access to other users’ private reports. Lets you enable read-only access for the Organization administrator and L3 engineering team to private reports owned by other users.
    • Allow the Organization administrator and L3 engineering team to access private reports owned by other users (read only).
  • Scheduling. Lets you define which roles can configure automatic schedules for their own reports.
    • Allow the L1 support team to schedule their reports.
    • Allow the L2 support team to schedule their reports.

Considerations about permissions

  • Private reports can only be viewed and managed by the user who created them.
  • The information visible within a report will always depend on the user’s role configuration and their visibility over organizations and reporting groups.
  • A user will never be able to view information from organizations or reporting groups over which they do not have permissions.
  • During scheduled report executions, the current permissions and visibility of the user who owns the report will always be applied.
The following identifiers refer to the options available in the Edit settings window:
IdentifierSetting
AAllow L1 support team to create reports (private only)
BAllow L2 support team to create reports (private only)
CAllow the Organization administrator and L3 engineering team to mark reports as private
DAllow the Organization administrator and L3 engineering team to access private reports owned by other users (read only)
EAllow the L1 support team to schedule their reports
FAllow the L2 support team to schedule their reports

Permissions by role

L1 support team

FeatureL1 support team
Create a report✅ Private only if A=true
Share reports with sub-organizations (delegated tenants)
Create a shared report
Configure the scheduling of a report✅ Own only if E=true
Edit scheduling or sharing of a report created by another Organization administrator or L3 engineering team
Edit a shared report
View private reports of other users✅ Own only if A=true
Edit private reports✅ Own only if A=true
Define whether the report is private❌ Own reports are always private
Use Clone and modify✅ Own only if A=true
View report executions✅ Own only if E=true
Create categories

L2 support team

FeatureL2 support team
Create a report✅ Private only if B=true
Share reports with sub-organizations (delegated tenants)
Create a shared report
Configure the scheduling of a report✅ Own only if F=true
Edit scheduling or sharing of a report created by another Organization administrator or L3 engineering team
Edit a shared report
View private reports of other users✅ Own only if B=true
Edit private reports✅ Own only if B=true
Define whether the report is private❌ Own reports are always private
Use Clone and modify✅ Own only if B=true
View report executions✅ Own only if F=true
Create categories

Organization administrator or L3 engineering team

FeatureOrganization administrator or L3 engineering team
Create a report
Share reports with sub-organizations (delegated tenants)
Create a shared report
Configure the scheduling of a report
Edit scheduling or sharing of a report created by another Organization administrator or L3 engineering team
Edit a shared report
View private reports of other users✅ Only if D=true
Edit private reports✅ Own only
Define whether the report is private✅ Only if C=true
Use Clone and modify
View report executions
Create categories

Create category

To create a new report category:
  1. Go to SettingsOrganization.
  2. Select the ReportsReport categories tab. report-createCateg
  3. Click Create category.
  4. Fill in the Name and Description fields. org-createCatReport

Authentication

From this tab, an Organization administrator user can enable or disable the option to sign in using email and password for users in the organization. If sub-organizations exist, the functionality can only be enabled or disabled from the main organization. The Enable email/password authentication or Disable email/password authentication button, depending on the case, lets you enable or disable the ability to allow email and password sign-in for members of an organization or sub-organization.
If this option is disabled, users will not be able to sign in with email and password or manage their account. All user credentials will be deleted. If this feature is re-enabled later, users will need to reset their password and two-factor authentication again.
org-auth

User table

Displays the list of the organization’s members. At a glance, you can see which members have email and password sign-in enabled.

Authentication details for a user

If you click on a user’s name in the table, you can access cards with specific information about the enabled authentication method:
  • Microsoft Entra ID. Job title, Phone, Last sign-in, Sign-in count, Last IP address.
  • Google. Last sign-in, Sign-in count, and Last IP address.
  • Email and password authentication. Last sign-in, Sign-in count, and Last IP address. In addition, from here the administrator can manage the Authentication security settings for that specific user, including Two-factor authentication and Password.
user-authentication-detail

Products

This tab shows the Flexxible environments and products associated with the organization. org-prod The table includes the following fields:
  • Environment
  • Product type
  • Code
  • Region
  • Creation date
  • Status
  • Action
Each record can be expanded to view a chart with the product’s consumption statistics. open-envirom Clicking Report explorer expands the chart and lets you filter the information by periods. report-explorer The Action column includes access to additional functionality: View details and FlexxAgent settings.

View details

The View details button lets you consult and modify the product information:
  • Environment. Environment where the product runs.
  • ServiceNow environment. Identifier of the associated ServiceNow instance.
  • License key. Unique identifier of the product license.
  • Creation date. Date and time the product was created in the organization.
  • Status. Lets you enable or disable the product.
  • Digital Activity. Lets you enable or disable this functionality.

FlexxAgent settings

The Agent settings button lets you adjust the agent’s behavior. product-settings
  • Uninstall protection Lets you prevent the user from uninstalling the agent.
    Requires FlexxAgent version 25.4.2 or later.
  • Web Apps Defines whether FlexxAgent collects information about web applications.
  • Metrics
    • Additional event log event IDs Lets you specify additional event log IDs that FlexxAgent should collect. By default, only Critical and Error events are collected from the Application, Security, and System logs. You can add events of the following types:
      • Critical
      • Error
      • Warning
      • Information
      To add IDs:
      • Enter the numeric value.
      • Press Tab or Enter to confirm.
      Multiple IDs can be defined. New events will be reflected after the configured event collection interval. To verify whether an event will be detected by FlexxAgent, run the following command on the device: Get-WmiObject -Query "Select * from Win32_NTLogEvent WHERE EventCode = XX"
  • Flexxible Remote Assistance
    • 1. Remote assistance Lets you define the type of remote assistance that will be used at the organization level. Available options:
      • None: the device will not be able to receive remote assistance.
      • Interactive (attended)
      • Interactive and unattended
      • Dynamic
    • 2. Actions as system role Defines which user role can run applications (CMD, PowerShell, Task Manager, and Regedit) as the system user in the assisted user’s session during a remote session.
      This feature can pose a risk if used incorrectly.
    • 3. Security Lets you choose between:
      • Default
      • Simplified
    After modifying the Security setting, a few minutes may pass before it is applied on all devices. In some cases, restarting the computer may be required.
    3.1. Simplified security This functionality reduces the time required to start a remote assistance session without having any practical effect on security. From a security standpoint, the usual conditions are maintained.
    This feature is disabled by default.
    Differences between default and simplified security

    1. Service execution mode

    Default securitySimplified security
    Service execution is performed on demand for each session. In interactive assistance sessions, the executable is launched in the user’s session, and in unattended assistance sessions, the service is installed. When the session ends, the process is stopped or the service is uninstalled.FlexxAgent automatically installs the service. It configures it (including parameters such as proxy), shuts it down, and disables it. It is enabled and started only when it receives a remote assistance request.

    2. Name and paths of files, services, and processes

    Security typeRemote assistanceAnyDesk process namePath to the processService name
    DefaultInteractive (attended)FlexxibleRemoteAssistance_Input.exeC:\Users\xxxxx\FLXRA\FlexxibleRemoteAssistance_Input.exe
    DefaultUnattendedFlexxibleRemoteAssistance-53595ae9.exec:\Program Files\flexxible\flexxagent\FLXRA\FlexxibleRemoteAssistance\FlexxibleRemoteAssistance-53595ae9.exeAnyDesk-53595ae9
    SimplifiedInteractive (attended) and UnattendedAnyDesk-53595ae9_msi.exec:\Program Files (x86)\AnyDesk-53595ae9_msi\AnyDesk-53595ae9_msi.exeAnyDesk-53595ae9_msi
    Simplified security requirements
    • FlexxAgent version 26.4.1.0 or later on the remote device.
    • Setting enabled on the corresponding reporting group.
    Limitations This functionality is available for all devices, except:
    • Virtual machines with Windows Client (Windows 7, 8, 10, 11)
    • Devices with FlexxAgent Cross-Platform (this functionality is coming soon).
    Benefits
    • Reduction of the remote assistance file generation time by 50% to 85% depending on the type of assistance.
    • The Ctrl + Alt + Del key combination is supported in both interactive (attended) and unattended assistance.
    Checks
    • To verify that the agent is configured with Simplified security:
      • Review the Windows services on the device.
      • Check whether the AnyDesk Client Service exists. Except during an active remote assistance session, this service must be stopped and disabled.
    • To find out whether a remote assistance session is running in Simplified security mode:
      • Each remote assistance session generates the EventLogId 666 event on the target device, visible from the device itself or from the Event log tab in Workspaces. This event includes a line that indicates the execution mode of the remote assistance for that session.
Each reporting group in the organization can edit its own remote assistance configuration to adapt it to its needs.
  • 4. Silent unattended FRA
    • Lets you perform unattended remote assistance sessions without showing on screen that assistance is being performed.
    • Useful on devices such as kiosks or computers with sessions visible to the public.
This feature is disabled by default.
  • Analyzer proxy FlexxAgent consists of a Windows service called FlexxAgent Service, which manages two processes: FlexxAgent, which runs at system level, and FlexxAgent Analyzer, which is started for each user session. The proxy configuration for FlexxAgent Analyzer is not always the same as that of FlexxAgent, so, depending on how the proxy works in each environment, it will be necessary to set its options appropriately.
    • System proxy configuration
      • FlexxAgent Analyzer automatically detects the proxy configuration and uses it.
      • Flexxible recommends this configuration for system proxies.
    • Configuration detected by FlexxAgent
      • In this case, FlexxAgent uses the credentials found in the registry, if defined during installation.
      • If not configured, FlexxAgent automatically detects the proxy configuration.
      • FlexxAgent Analyzer uses the detected configuration for the Uniform Resource Identifier (URI), the user, and the password.
Some of the FlexxAgent configuration options are not visible to users with the Organization administrator role.

Modules

This tab shows a list of the Flexxible product modules available to the organization, as well as those created by users themselves. The table contains the module name, the corresponding URL, and its visibility level. From View details, you can assign a label and a URL to the selected module and define whether it is visible as Featured or Secondary. When it is featured, it appears among the main modules on the Home page; when it is secondary, it is displayed as a list under the View more button.

Create a module

The New button lets you create custom modules to get the most out of the platform. For example, in the images below, you can see how a module has been created for the Flexxible documentation website.

Domains

The platform lets you configure sign-in through SAML authentication, a single sign-on (SSO) technology that lets organizations connect their identity managers with the Flexxible platform. To configure sign-in with this method, adjustments must be made related to recognizing the organization’s domain and integrating with the identity manager used. From this tab, an Organization administrator can register and verify the domains that will be used. They can also access the table with the list of domains and consult its details view. The table shows the following information:
  • Domain name. Web address registered by the organization.
  • Status. Verified or Not verified.
  • Created on. Domain creation date and time.
  • Created by. User who registered the domain.

Create a domain

To configure a domain, it must first be registered and then verified.
  1. Go to OrganizationDomains.
  2. Click Create domain.
  3. Enter the organization’s domain (corresponding to the email address of the users who will sign in with SAML).
  4. Click New.
The domain will be added to the table with the Not verified status.

Verify the domain

  1. In the Domains table, select the registered domain.
  2. A window will be displayed with instructions for adding a TXT record in DNS, required to verify ownership.
  3. Click Verify now to complete the process.

Delete a domain

  1. Go to OrganizationDomains.
  2. Select the domain you want to delete from the table.
  3. In the details window, click Delete.
When a domain is deleted, users associated with it will no longer be able to authenticate via SAML, until it is registered again.

SSO integrations

SSO integrations lets users with email addresses from specific domains authenticate through the organization’s identity provider.

Create an SSO connection

  1. Go to OrganizationSSO integrations.
  2. Click Create connection and follow the instructions in the wizard, which will guide the Organization administrator through configuration and testing depending on the identity manager used.
The available identity managers are:
  • Okta
  • Entra ID
  • Custom SAML
For each case, a wizard is available that provides step-by-step guidance for the specific configuration within the selected identity manager.
Some of the data requested during configuration may have different names depending on the identity manager. For example, in Custom SAML:
  • The Single Sign-On URL field may appear in the identity manager as Reply URL (Assertion Consumer Service URL).
  • The Service Provider Entity ID field may be called Identifier (Entity ID).
If any question arises during the configuration process, please consult your Flexxible contact.
Once the process is complete, users from the associated domains will be able to sign in by entering their email in the corresponding field and clicking Continue with email. If the system recognizes the domain as enabled for SSO, it will redirect the user to the organization’s identity manager to authenticate.

Edit an SSO connection

The platform lets you edit an existing SSO connection, either to update the configuration or to renew the certificate in case of expiration.
  1. Go to OrganizationSSO integrations.
  2. Select a record in the table.
  3. Click Edit connection.
Selecting the Enable SCIM user provisioning checkbox is optional. See more information in SCIM provisioning.

Delete an SSO connection

  1. Go to OrganizationSSO integrations.
  2. Select the corresponding record in the table.

SCIM provisioning

The System for Cross-domain Identity Management (SCIM) is a user provisioning and management standard that complements SAML authentication. It is optional, and its function is to automate the creation, update, and deletion of user accounts on the platform, keeping information in sync between the organization’s identity manager (Okta, Entra ID, etc.) and the Flexxible platform. When SCIM is enabled, the identity manager can send the platform basic user information (name, email, group), which facilitates onboarding and offboarding management. In this way, the user’s lifecycle on the platform is centrally controlled from the identity manager.
The SCIM provisioning tab will be visible after creating user groups in the identity manager.

Enable SCIM

To use SCIM, SAML authentication must have been previously configured:
  1. Go to OrganizationSSO integrations.
  2. In the table, select the corresponding SSO connection.
  3. Select the Enable SCIM user provisioning option.
Once the option is activated, the following will appear at the bottom of the configuration window:
  • SCIM endpoint
  • Authentication token
This data is confidential and must be stored securely.
In environments with sub-organizations, the SCIM integration must be defined in the “parent” tenant.

Configure SCIM in the identity manager

In the organization’s identity manager, you must enter the SCIM endpoint and the authentication token provided. Example with Entra ID:
  1. Go to Provisioning.
  2. Enter the SCIM endpoint and the authentication token.
  3. Select the authentication method: Bearer token or Bearer Authentication.
  4. Click Test connection to validate the sync.
  5. Enable provisioning.
From this point on, the identity manager will begin syncing groups and users to the platform.
  • If Okta is used as the identity provider:
    • SCIM functionality must be configured using the Custom SAML option, since Okta does not support SCIM if the connection is with OIDC.
    • When configuring the Custom SAML connection, the Application username format must be set to Email, otherwise users will not be able to authenticate.

Create user groups in the identity manager

To integrate users via SCIM, groups must be created in the identity manager.

Considerations

  • Create groups specifically dedicated to the platform with clear and exclusive names (e.g., MyOrg-Portal-L2).
  • When user groups are created or deleted in the identity manager, they will also be automatically created or deleted on the platform.
  • Do not create nested groups.
  • A user must belong to only one group; otherwise, unexpected behaviors may occur: on the platform, a user cannot have more than one role.
  • There cannot be users without an assigned group.
  • Users belonging to a group that does not have a role linked to it will not be visible in the Users list.
After creating user groups in the identity manager, the SCIM provisioning tab will appear automatically in the menu.

Role mapping

In the table of the SCIM provisioning tab, you can see the groups created in the identity manager. This happens because a one-way sync has been established, from the identity manager to the platform. To map roles:
  1. Go to OrganizationSCIM provisioning.
  2. Select a synced group from the table.
  3. In the modal window, assign the corresponding role.
  4. If an organization (tenant) has sub-organizations, choose which sub-organization the group belongs to before assigning a role.
Once all groups are linked to a role, no further configuration is needed. New users added or removed from groups in the identity manager will be automatically synced with the platform.

Considerations about roles

  • Every synced group must have a role assigned so that its users are visible and functional.
  • The same role can be assigned to different groups.
  • The role assigned to a group can be modified at any time by following the same steps used to assign the role.
  • In the Users list, the Created by and Updated by columns will be shown to identify users managed by SCIM.

Role sync

The sync frequency depends on the identity manager used (for example, Entra ID syncs every 40 minutes), although it is possible to force a manual sync from the identity manager itself to perform tests or urgent changes without waiting for the automatic cycle. To avoid depending on those intervals, the platform includes the Sync assigned roles button, which lets you align the roles of users belonging to groups created with SCIM. This action performs the following operations:
  • Reviews all users belonging to groups created via SCIM.
  • Checks whether the role assigned to each user matches the role mapped for their group.
  • If it detects discrepancies, it automatically updates the user’s role.
If the role belongs to another sub-organization, the user will be automatically moved to the corresponding sub-organization. At the end of the process, a detailed summary of the modified data is displayed.
It is not necessary to run the Sync assigned roles action on a regular basis. It is recommended to use it only when a change is made to the mapped roles.

API keys

Shows a table with the list of API keys created in the organization. The fields contain the following information:
  • Name. Name assigned to the API key.
  • Status. Can be Active, Expired, or Revoked.
  • Key ID. ID corresponding to the API key.
  • Role. Role of the user who will access the API.
  • Creation date. Date and time the key was created.
  • Expiration date. Date and time the key expires.
  • Revocation date. If it has been revoked, revocation date and time.

Create an API key

  1. Go to OrganizationAPI keys.
  2. Click Create API key.
  3. Fill in the form:
    • Name. API key identifier.
    • Role. Role assigned to the user.
    • Duration. Key validity period.
  4. Click Save.