Managing users, roles, and permissions

This section describes how to manage user access to BMC Atrium Orchestrator (BAO) and its components. It covers how to create users and roles, assign users to roles, and assign BAO component permissions to roles.

Before getting started, review the overview in Authentication and authorization.

BMC Atrium Orchestrator uses a role-based authentication system (RBAC).

To use the RBAC system, you must perform the following tasks:

  • In Remedy Single Sign-On (Remedy SSO or RSSO) create a user for each of your organization's users who will access BMC Atrium Orchestrator.
  • In Remedy SSO create roles based on your organization's needs.
    Think about the main user roles in your organization. What are the tasks that users with these roles perform and what BAO components and content do they need to use to perform those tasks?
  • Assign users to roles.
  • Assign appropriate BMC Atrium Orchestrator access permissions to the roles.
    • Use Grid Manager to assign permissions associated with the grid.
    • Use Repository Manager to assign permissions associated with the repository and repository content.

If a user is associated with more than one role, the user is granted the most permissive permissions.

By default, BMC Atrium Orchestrator provides the aoadmin user and AoAdmin role. The role has full access to the repository and to the grid. AoAdmin is a hard-coded role and is not used to administer the system.

BMC Atrium Orchestrator provides default permissions for access to grid, repository, and repository-content. You can create other permissions based on your needs.


BMC recommends the following:

  • No user be a member of the AoAdmin role except the aoadmin default user and that this group be used only to unlock the grid if you accidentally remove all the permissions.
  • After installing the primary CDP, remove the following permissions from the Default role: Development Studio, Grid Administration, and Grid Management.


If your organization uses Atrium Single Sign-On (ASSO) to manage user accounts, groups, and permissions, the ASSO groups correspond to BMC Atrium Orchestrator roles. Use the same group names as the corresponding role names in BAO.

BMC Atrium Single Sign-On is not supported for use with BMC Atrium Orchestrator Platform 7.9.01 and later versions.

This section includes the following pages: