Organization

Organization allows managing the functionalities that affect the organization's environment globally, from assigning the name on the platform to configuring remote assistance.

Management can be done from the following sections:

• General
• Branding
• Microservices
• Authentication
• Products
• Modules
• Domains
• SSO Integrations
• SCIM Provisioning
• API Keys

General

Allows defining general information of the organization that can be updated anytime using the Edit button. The following data can be modified:

• Name. Organization's name.
• Email. Associated email address.
• Language. Configured language.
• Country. Country the organization belongs to.
• Sector. The sector it belongs to.
• Description. Description of the organization.

Additionally, from this section you can also access the following information:

• Members. Number of members that the organization has registered on the platform.
• Products. Number of Flexxible products the organization has contracted.
• Creation Date. Date when the organization was registered on the platform.
• Partner. For client type organizations, allows defining or modifying the partner.
• Type. Type of organization that corresponds to it.

Branding

Facilitates the storage of information linked to the organization's brand identity. Clicking the Edit Brand Settings button leads to a form for uploading the organization's logo and cover image, as well as a palette to define corporate colors in hexadecimal format.

This section also indicates the date and time of the last update, as well as the name and email of the user who made it.

Microservices

Through its configuration and classification options, it allows changing the name of the folder containing the end-user microservices and managing the predefined categories. It also shows the date and the name of the user who updated the information.

Settings

In this section, it shows the name assigned to the end-user microservices folder and if the option to use predefined categories is enabled.

Folder name

When microservices are enabled to be executed by the end-user, they are automatically added to a folder on the device called Flexxible; however, this name can be modified.

Rename the microservices folder

1. Go to Portal -> Settings -> Organization.

2. In the left side menu, select Microservices

3. Click on Edit microservices configuration.

   

4. Write the new name in the Folder name field. The structure must be between 3 and 50 characters and can only contain letters, numbers, hyphens, and underscores.

5. Click on Save.

info

If the device has Windows 11 as its operating system and only one microservice is enabled for an end-user, the Flexxible folder will not be displayed; instead, only the microservice icon will be visible in the start menu.

Predefined categories

This functionality allows users with the role of Organization Administrator to define and manage classification categories for the microservices. The configuration can only be carried out from the main organization and is automatically inherited by sub-organizations, ensuring consistency and preventing the creation of random categories.

Activate predefined categories

1. Go to Portal -> Settings -> Organization.
2. Select the Microservices tab.
3. Click on Edit microservices configuration.
4. Activate the Use predefined categories button.

5. Click on Save.

When the functionality is active:

• The Categories section is created automatically, containing a table with the list of microservices categories of the organization.

  

• The categories also appear in the Designer section, so that users can only select from the available categories in the list.

  

Deactivate predefined categories

1. Go to Portal -> Settings -> Organization.
2. Select the Microservices tab.
3. Click on Edit microservices configuration.
4. Deactivate the Use predefined categories button

When this option is disabled, a message is displayed informing the user that all microservices with assigned categories will lose that association, and it will be necessary to manually reassign them categories.

Categories

This tab is only enabled when the option of predefined categories is activated. Contains a table with the list of categories and allows creating new ones or deleting existing ones.

Create a predefined category

1. Go to Portal -> Settings -> Organization.
2. In the menu, go to Microservices -> Categories.
3. Click on New and type the name of the new category.

4. Click on Save.

The category name will be displayed both in the table and in the Designer section.

Delete a predefined category

1. Go to Portal -> Settings -> Organization.
2. In the menu, go to Microservices -> Categories.
3. Select a category from the table and click on Delete.

When a category is deleted, the microservices associated with it will become uncategorized and it will be necessary to manually assign them to another category.

Reports

From this tab, you can create and manage the categories associated with the reports generated in the section Create with AI - Reports.

Settings

Indicates whether the use of predefined categories is enabled or disabled in the organization.

Categories

Displays a table with the defined categories. Each record includes the following fields:

• Name. Category identifier.
• Description. Descriptive information about the category.
• Number of queries. Total queries made on the reports associated with the category.
• Created on. Date and time of creation.
• Created by. User who created the category.
• Updated on. Date and time of the last modification.

Available actions

Action	Caption
Create categories	Allows you to create a new category by specifying its name and description.
Edit setup	Allows you to define if predefined categories are used in the organization.
View audit log	Allows access to the Audit view.

Authentication

From this tab, an Organization Administrator can enable or disable the option to log in using email and password for the organization's users. In case there are suborganizations, the functionality can only be enabled or disabled from the main organization.

The button Enable email/password authentication or Disable email/password authentication, as applicable, allows enabling or disabling the possibility for users who are members of an organization or sub-organization to be able to activate login with email and password.

warning

If this option is disabled, users will not be able to log in with email and password or manage their account. All user credentials will be deleted. If this feature is re-enabled, users will need to reset their password and two-factor authentication again.

User table

Shows the list of organization members. At a glance, you can see which members have the option to log in via email and password enabled.

User authentication detail

By clicking on a user's name in the table, you can access cards with specific information about the authentication method they have enabled:

• Microsoft Entra ID. Role, Phone, Last login, Login count, Last IP address.

• Google. Last login, Login count, and Last IP address.

• Email and password authentication. Last login, Login count, and Last IP address. Additionally, from here, the administrator can manage the Authentication security settings for that specific user, which includes Two-factor authentication and Password.

Products

This tab shows the Flexxible environments and products associated with the organization.

The table includes the following fields:

• Environment
• Product Type
• Code
• Region
• Created date
• State
• Action

Each record can be expanded to view a graph with product consumption statistics.

Clicking on Report Explorer, enlarges the graph and allows filtering information by periods.

In the Action column, additional functionalities are included: View Details and FlexxAgent Settings.

View details

The View Details button allows you to consult and modify product information:

• Environment. The environment in which the product runs.
• ServiceNow Environment. Identifier of the associated ServiceNow instance.
• License Key Unique identifier of the product license.
• Creation Date Date and time when the product was created in the organization.
• Status. Allows you to enable or disable the product.
• Digital Activity. Allows you to enable or disable this functionality.

FlexxAgent Configuration

The Agent Settings button allows you to adjust the agent's behavior:

• Uninstallation Protection

  Prevents the user from uninstalling the agent.

  Requires FlexxAgent version 25.4.2 or later.

• Metrics

  • Additional Event IDs in the Event Log

    Allows specifying additional Event Log IDs that FlexxAgent should collect.

    By default, only Critical and Error events from the Application, Security, and System logs are collected. You can add event types:

    • Critical
    • Error
    • Warning
    • Information

    To add IDs:

    • Enter the numeric value.
    • Press Tab or Enter to confirm.

    You can define multiple IDs. New events will be reflected after the configured event collection interval.

    To check if an event will be detected by FlexxAgent, execute the following command on the device:

    Get-WmiObject -Query "Select * from Win32_NTLogEvent WHERE EventCode = XX"

• Flexxible Remote Assistance

  • 1. Remote Assistance

    Allows defining the type of remote assistance used at the organization level.

    Available options:

    • None: the device will not be able to receive remote assistance.
    • Interactive (attended)
    • Interactive and unattended
    • Dynamic

  • 2. Actions as a system role

    Define which Workspaces user role can run applications (CMD, PowerShell, Task Manager, and Regedit) as a system user in the assisted user's session during a remote session.

    This feature can pose a risk if used incorrectly.

  • 3. Security

    Allows selecting between:

    • Default
    • Simplified

    

  note

  After modifying Security settings, it may take a few minutes to apply to all devices. In some cases, restarting the computer may be necessary.

  3.1. Simplified Security

  This functionality allows reducing the time needed to start a remote assistance session without having practical effects at the security level.

  At the security level, the usual conditions are maintained.

  This feature is disabled by default.

  Differences between default and simplified security

  1. Service execution mode

  Default Security	Simplified Security
  Service execution is performed on demand in each session. In interactive assistance, the executable is launched in the user's session, and in unattended assistance, the service is installed. At the end of the session, the process stops or the service is uninstalled.	FlexxAgent automatically installs the service. Configures it (including parameters like proxy), shuts it down and disables it. Enabling and starting it only when receiving a remote assistance request from Portal.

  2. File names and paths, services, and processes

  Security Type	Remote Assistance	AnyDesk Process Name	Process Path	Service Name
  Default	Interactive (attended)	FlexxibleRemoteAssistance_Input.exe	C:\Users\xxxxx\FLXRA\FlexxibleRemoteAssistance_Input.exe	—
  Default	Unattended	FlexxibleRemoteAssistance-53595ae9.exe	c:\Program Files\flexxible\flexxagent\FLXRA\FlexxibleRemoteAssistance\FlexxibleRemoteAssistance-53595ae9.exe	AnyDesk-53595ae9
  Simplified	Interactive (attended) and Unattended	AnyDesk-53595ae9_msi.exe	c:\Program Files (x86)\AnyDesk-53595ae9_msi\AnyDesk-53595ae9_msi.exe	AnyDesk-53595ae9_msi

  **Requisitos de seguridad simplificada**
  
  - FlexxAgent versión 26.4.1.0 o posterior en el dispositivo remoto.
  - Configuración habilitada en el grupo de reporte correspondiente.

  Limitations

  This functionality is available for all devices, except:

  • Virtual machines with Windows Client (Windows 7, 8, 10, 11)
  • Devices with FlexxAgent Cross-Platform (this functionality is coming soon).

  Advantages

  • Reduction of remote assistance file generation time, between 50% and 85% depending on the type of assistance.

  • The key combination Ctrl + Alt + Del is supported in both interactive (attended) and unattended assistance.

  Checks

  • To verify that the agent is configured with Simplified Security:

    • Review Windows services on the device.
    • Check if the AnyDesk Client Service exists. This service, except for an active remote assistance session, should be stopped and disabled.

  • To know if remote assistance is running in Simplified Security mode:

    • Each remote assistance session generates the event EventLogId 666 on the target device, visible from the device itself or from the Event Log tab in Workspaces. This event includes a line indicating the execution mode of remote assistance for that session.

      

Each reporting group that the organization has can edit its own remote assistance configuration to suit its needs.

• 4. Silent Unattended FRA

  • Allows performing unattended remote assistance without showing on screen that assistance is taking place.
  • Useful on devices like kiosks or computers with sessions visible to the public.

This feature is disabled by default.

• Analyzer Proxy

  FlexxAgent consists of a Windows service called FlexxAgent Service, which manages two processes: FlexxAgent, which runs at the system level, and FlexxAgent Analyzer, which starts for each user session.

  The proxy configuration of FlexxAgent Analyzer is not always the same as that of FlexxAgent, so according to the proxy operation in each environment, its settings will need to be set appropriately.

  • System proxy settings

    • FlexxAgent Analyzer automatically detects and uses the proxy settings.
    • Flexxible recommends this configuration for the system proxy.

  • FlexxAgent detected config

    • In this case, FlexxAgent uses the credentials found in the registry if they are defined during installation.
    • If not configured, FlexxAgent automatically detects the proxy settings.
    • FlexxAgent Analyzer uses the detected settings for the Uniform Resource Identifier (URI), user, and password.

info

Some of the configuration options of FlexxAgent are not visible to users with the Organization Administrator role.

Modules

This tab shows a list of Flexxible product modules available for the organization, as well as those created by the users themselves.

The table contains the module name, its corresponding URL, and its visibility level. From See detail, a label and URL can be assigned to the selected module, and you can define whether it is visible as Featured or Secondary. When it is featured, it appears among the main modules in the Home section of Portal; when it is secondary, it is shown as a list under the View more button.

Create module

The New button allows you to create custom modules to maximize the platform's utility. For example, in the images below, you can see how a module for Flexxible's documentation webpage has been created.

Domains

Portal allows you to configure login through SAML authentication, a single sign-on (SSO) technology that lets organizations connect their identity managers with the Flexxible platform.

To set up login with this method, you need to make adjustments related to recognizing the organization's domain and integrating with the identity manager used.

From this tab, an Organization Administrator can register and verify the domains to be used. You can also access the table with the domain list and consult its detail view.

The table shows the following information:

• Domain name. Web address registered by the organization.
• Status. Verified or Not verified.
• Created on. Domain creation date and time.
• Created by. User who registered the domain.

Create a domain

To configure a domain, it must first be registered and then verified.

1. Access Portal -> Organization ->

2. In the menu, select the Domains tab.

3. Click Create domain.

4. Enter the organization's domain (corresponding to the email of the users who will log in with SAML).

   

5. Click on New.

The domain will be added to the table with the status Not verified.

Verify the domain

1. In the Domains table, select the registered domain.

2. A window will appear with instructions to add a TXT record in DNS, necessary to verify ownership.

   

3. Click Verify now to complete the process.

Remove domain

1. Access Portal -> Organization.
2. In the menu, select the Domains tab.
3. Select the domain in the table that you want to remove.
4. In the detail window, click Remove.

By removing a domain, users associated with it will no longer be able to authenticate via SAML until it is registered again.

SSO Integrations

SSO Integrations allow users with email addresses from specific domains to authenticate through the organization's identity provider.

Create an SSO connection

1. Access Portal -> Organization.
2. In the menu, select the SSO Integrations tab.
3. Click Create connection and follow the wizard instructions, which will guide the Organization Administrator through the setup and testing according to the identity manager used.

Available identity managers:

• Okta
• Entra ID
• Custom SAML

For each case, a wizard will guide you step by step in the specific setup within the selected identity manager.

tip

Some of the requested data during setup may have different names depending on the identity manager. For example, in Custom SAML:

• The Single Sign-On URL field may appear in the identity manager as Reply URL (Assertion Consumer Service URL).
• The Service Provider Entity ID field may be called Identifier (Entity ID).

note

If any doubts arise during the setup process, please consult with your contact at Flexxible.

Once the process is completed, users from associated domains will be able to log in by entering their email address in the appropriate field and clicking Continue with email.

If the system recognizes the domain as enabled for SSO, it will redirect the user to the organization's identity manager for authentication.

Edit an SSO connection

The platform allows editing an existing SSO connection either to update the configuration or renew the certificate in case of expiration.

1. Access Portal -> Organization.

2. In the menu, select the SSO Integrations tab.

3. Select a record in the table.

4. Click Edit connection.

   

Checking the Enable SCIM user provisioning checkbox is optional. More information in SCIM Provisioning.

Remove an SSO connection

1. Access Portal -> Organization.
2. In the menu, select the SSO Integrations tab.
3. Select the corresponding record in the table.

SCIM Provisioning

The System for Cross-domain Identity Management (SCIM) is a user provisioning and management standard that complements authentication with SAML. It is optional and automates the creation, update, and removal of user accounts in Portal, keeping information synchronized between the organization's identity manager (Okta, Entra ID, etc.) and the Flexxible platform.

When SCIM is enabled, the identity manager can send basic user information (name, email, group) to Portal, simplifying account management. This way, the user's lifecycle in Portal is centrally controlled from the identity manager.

note

The SCIM Provisioning tab will be visible after creating user groups in the identity manager.

Enable SCIM in Portal

To use SCIM, it is essential to have previously set up authentication with SAML:

1. Access Portal -> Organization.
2. In the menu, select the SSO Integrations tab.
3. In the table, select the corresponding SSO connection.
4. Check the Enable SCIM user provisioning option.

When the option is activated, the following will appear at the bottom of the configuration window:

• SCIM endpoint
• Authentication token

warning

These details are confidential and should be stored securely.

info

In environments with sub-organizations, the SCIM integration must be defined in the "parent" tenant.

Configure SCIM in the identity manager

In the organization's identity manager, enter the SCIM endpoint and authentication token provided in Portal.

Example with Entra ID:

1. Go to Provisioning.

2. Enter the SCIM endpoint and authentication token.

3. Select the authentication method: Bearer token or Bearer Authentication.

4. Click Test connection to validate synchronization.

5. Activate provisioning.

   

From that moment, the identity manager will start syncing groups and users to Portal.

info

• If Okta is used as the identity provider:
  • The SCIM functionality has to be configured using the Custom SAML option, as Okta does not support SCIM when the connection is with OIDC.
  • When configuring the Custom SAML connection, the Application username format must be specified as Email, otherwise users will not be able to authenticate.

Create user groups in the identity manager

To integrate users via SCIM, it is essential to create groups in the identity manager.

Considerations

• Create groups specifically dedicated to Portal with clear and exclusive names (e.g. MiOrg-Portal-L2).
• When user groups are created or deleted in the identity manager, they will also be automatically created or deleted in Portal.
• Do not create nested groups.
• A user should belong to only one group; otherwise, unexpected behaviors may arise: in Portal a user cannot have more than one role.
• There cannot be users without an assigned group.
• Users belonging to a group without a linked role won't be visible in the Users list.

info

After creating user groups in the identity manager, the SCIM Provisioning tab will automatically appear in the menu.

Role mapping in Portal

In the SCIM Provisioning tab table, you can see the groups created in the identity manager. This happens because a one-way synchronization has been established from the identity manager to Portal.

To map roles:

1. Access Portal -> Organization.

2. In the menu, select the SCIM Provisioning tab.

3. Select a synchronized group from the table.

4. In the modal window, assign the corresponding role.

5. If an organization (tenant) has sub-organizations, choose which sub-organization that group belongs to before assigning it a role.

   

From the moment all groups are linked to a role, no further configurations will be needed. New users added or removed from groups in the identity manager will be automatically synchronized in Portal.

Considerations about roles

• Every synchronized group must have a role assigned to be visible and functional in Portal.

• The same role can be assigned to different groups.

• The role assigned to a group can be changed at any time by following the same steps used to assign the role.

• In the Users list, the columns Created by and Updated by will identify users managed by SCIM.

  

Role synchronization

The synchronization frequency depends on the identity manager used (for example, Entra ID synchronizes every 40 minutes), although manual synchronization can be forced from the identity manager itself for tests or urgent changes without waiting for the automatic cycle.

To avoid relying on those intervals, Portal includes the Sync assigned roles button, which allows aligning user roles belonging to groups created with SCIM.

This action performs the following operations:

• Reviews all users belonging to groups created via SCIM.
• Checks if the role assigned to each user matches the role mapped for their group.
• If discrepancies are detected, it automatically updates the user's role.

If the role belongs to another sub-organization, the user will automatically move to the corresponding sub-organization.

At the end of the process, a detailed summary of the modified data is displayed.

info

It is not necessary to execute the Sync assigned roles action regularly. It is recommended to use it only when making a change to mapped roles.

API Keys

Displays a table with the list of API keys created in the organization.

The fields contain the following information:

• Name. Name assigned to the API key.
• Status. Can be Active, Expired, or Revoked.
• Key ID. ID corresponding to the API key.
• Role. Role of the user who will access the API.
• Creation Date. Date and time the key was created.
• Expiration Date. Date and time the key expires.
• Revocation Date. If revoked, date and time of revocation.

Create an API Key

1. Access Portal -> Organization.

2. In the side menu, select the API Keys tab.

3. Click on Create API Key.

4. Fill out the form:

   • Name. Identifier of the API key.
   • Role. Role assigned to the user in Portal.
   • Duration. Validity period of the key.

5. Click on Save.