This documentation supports releases of BMC Helix Portal up to December 31, 2021. To view the latest version, select the version from the Product version menu.

List of permissions

This topic describes the list of permissions available for BMC Helix Portal.

To provide full permissions to all the integrated products, enable the Full access to all the resources setting.


API users (Tenant-level)

The following table describes the permissions available for managing API users (or tenant-level access keys).

More information:

PermissionDescription
List


Console-level access

Allows you to list all the API users on the Users > API Users page.

API-level access

Allows you to run all the GET endpoints and the POST endpoint for searching tenant-level access keys with the List or Read permission:

GET /ims/api/v1/access_keys
GET /ims/api/v1/access_keys/{id}
POST /ims/api/v1/access_keys/search
Read

Console-level access

Allows you to access the Users > API Users page.

API-level access

Allows you to run all the GET endpoints and the POST endpoint for searching access keys with the List or Read permission:

GET /ims/api/v1/access_keys
GET /ims/api/v1/access_keys/{id}
POST /ims/api/v1/access_keys/search
Create

Console-level access

Allows you to create an API user (or tenant-level access key).

Requires the Read and List permissions in addition to the Create permission.

API-level access

Allows you to run the POST endpoints available for creating a tenant-level access key:

POST /ims/api/v1/access_keys
POST /ims/api/v1/access_keys/{id}/access_secret_key
Modify

Console-level access

Allows you to modify an API user (or tenant-level access key).

Requires the Read and List permissions in addition to the Modify permission.

API-level access

Allows you to run the PATCH endpoint available for updating a tenant-level access key:

PATCH /ims/api/v1/access_keys/{id}
Delete

Console-level access

Allows you to delete an API user (or tenant-level access key).

Requires the Read and List permissions in addition to Delete permission.

API-level access

Allows you to run the DELETE endpoint available for deleting a tenant-level access key:

DELETE /ims/api/v1/access_keys/{id}


Users

The following table describes the permissions available for managing:

  • Users that require console access 
  • API keys (or user-level access keys)

More information:

PermissionDescription
List

Console-level access

Allows you to list all the users on the Users page.

API-level access

Allows you to run all the GET endpoints and the POST endpoint for searching users with the List or Read permission:

GET /ims/api/v1/userinfo
GET /ims/api/v1/users
GET /ims/api/v1/users/{id}
POST /ims/api/v1/users/search
Read

Console-level access

Allows you to access the Users page.

API-level access

Allows you to run all the GET endpoints and the POST endpoint for searching users with the List or Read permission:

GET /ims/api/v1/userinfo
GET /ims/api/v1/users
GET /ims/api/v1/users/{id}
POST /ims/api/v1/users/search
Create

Console-level access

Allows you to create a user.

Requires the Read and List permissions in addition to the Create permission.

API-level access

Allows you to run the POST endpoint available for creating a user:

POST /ims/api/v1/users
Modify

Console-level access

Allows you to modify a user.

Requires the Read and List permissions in addition to the Modify permission.

API-level access

Allows you to run the PATCH endpoint available for updating a user:

PATCH /ims/api/v1/users/{id}
Delete

Console-level access

Allows you to delete a user.

Requires the Read and List permissions in addition to the Delete permission.

API-level access

Allows you to run the DELETE endpoint available for deleting a user:

DELETE /ims/api/v1/users/{id}
API key: List

Console-level access

Allows you to list all the API keys on the API keys page.
API-level access

Allows you to run all the GET endpoints with the API key: List or API key: Read permission.

GET /ims/api/v1/users/{user_id}/access_keys
GET /ims/api/v1/users/{user_id}/access_keys/{id}
API key: Read

Console-level access

Allows you to access the API keys page.
API-level access

Allows you to run all the GET endpoints with the API key: List or API key: Read permission.

GET /ims/api/v1/users/{user_id}/access_keys
GET /ims/api/v1/users/{user_id}/access_keys/{id}
API key: Create

Console-level access

Allows you to create an API key (or user-level access key).

Requires the Read and List permissions in addition to the API key: Create permission.

API-level access

Allows you to run the POST endpoints available for creating an API key:

POST /ims/api/v1/users/{user_id}/access_keys
POST/ims/api/v1/users/{user_id}/access_keys/{id}/access_secret_key
API key: Modify

Console-level access

Allows you to modify an API key (or user-level access key).

Requires the Read and List permissions in addition to the API key: Modify permission.

API-level access

Allows you to run the PATCH endpoint available for modifying an API key:

PATCH /ims/api/v1/users/{user_id}/access_keys/{id}
API key: Delete

Console-level access

Allows you to delete an API key (or user-level access key).

Requires the Read and List permissions in addition to the API key: Delete permission.

API-level access

Allows you to run the DELETE endpoint available for deleting an API key:

DELETE /ims/api/v1/users/{user_id}/access_keys/{id}


Permissions (general permissions for applications)

The following table describes the permissions available for viewing and getting details of permissions and resources available for the BMC Helix applications (or integrated products). 

More information: 

PermissionDescription
Unrestricted accessConsole-level access
List of all the integrated products on the Home page
API-level access

Enables unrestricted access for the following endpoints:

GET /ims/api/v1/applications
GET /ims/api/v1/applications/{id}
GET /ims/api/v1/applications/{application_id}/resource_types
GET /ims/api/v1/applications/{application_id}/resource_types/{resource_type_id}
POST /ims/api/v1/permissions/search
List

Console-level access

Unrestricted access
API-level access

Allows you to run the following GET endpoints with the List permission only:

GET /ims/api/v1/applications/{application_id}/resource_types/{resource_type_id}/
GET /ims/api/v1/permissions

Allows you to run the following GET endpoint with the List or Read permission:

GET /ims/api/v1/applications/{application_id}/resource_types/{resource_type_id}/
Read

Console-level access

Unrestricted access
API-level access

Allows you to run the following GET endpoint with the List or Read permission:

GET /ims/api/v1/applications/{application_id}/resource_types/{resource_type_id}/
CreateDo not use this permission.
ModifyDo not use this permission.
DeleteDo not use this permission.


Roles

The following table describes the permissions available for managing roles.

More information: 

PermissionDescription
ListConsole-level access

Allows you to list all the roles on the Roles and permissions page.

API-level access

Allows you to run the following GET endpoints and the POST endpoint for searching roles with the List or Read permission:

GET /ims/api/v1/roles
GET /ims/api/v1/roles/{id}
POST /ims/api/v1/roles/search
Read

Console-level access

Allows you to access the Roles and permissions page.
API-level access

Allows you to run the following GET endpoint with the Read permission only:

GET /ims/api/v1/roles/{id}/permissions

Allows you to run the following GET endpoints and the POST endpoint for searching roles with the List or Read permission:

GET /ims/api/v1/roles
GET /ims/api/v1/roles/{id}
POST /ims/api/v1/roles/search
Create

Console-level access

Allows you to create a role.

Requires the Read and List permissions in addition to the Create permission.

API-level access

Allows you to run the POST endpoint available for creating a role:

POST /ims/api/v1/roles
Modify

Console-level access

Allows you to modify a role.

Requires the following permissions in addition to the Modify permission:

  • To update a role: Roles: List, Read permissions
  • To update the role associations:
    • User group associations: User groups > Read permission
    • User associations: Users > Read permission
    • Application permission associations: Applications > Read permission
API-level access

Allows you to run the following PATCH endpoint available for updating a role:

PATCH /ims/api/v1/roles/{id}

Allows you to run the following PATCH and PUT endpoints available for updating the user group associations in a role.

Requires the User groups > Read permission in addition to the Roles > Modify permission.

PATCH /ims/api/v1/roles/{id}/groups
PUT /ims/api/v1/roles/{id}/groups

Allows you to run the following PATCH and PUT endpoints available for updating the permission associations in a role.

Requires the Applications > Read permission in addition to the Roles > Modify permission.

PATCH /ims/api/v1/roles/{id}/permissions
PUT /ims/api/v1/roles/{id}/permissions

Allows you to run the following PATCH endpoint available for updating the role associations in a composite role.

Requires the Applications > Read permission in addition to the Roles > Modify permission.

PATCH /ims/api/v1/roles/{id}/roles

Allows you to run the following PUT endpoint available for replacing the role associations in a composite role.

Requires the Roles > Read permission in addition to the Roles > Modify permission.

PUT /ims/api/v1/roles/{id}/roles

Allows you to run the following PUT and POST endpoints available for updating the user associations in a role.

Requires the Users > Read permission in addition to the Roles > Modify permission.

PATCH /ims/api/v1/roles/{id}/users
PUT /ims/api/v1/roles/{id}/users

Allows you to run the following POST endpoint available for updating the user mappings in roles:

POST /ims/api/v1/roles/user_mappings
Delete

Console-level access

Allows you to delete a role.

Requires the Read and List permissions in addition to the Delete permission.

API-level access

Allows you to run the DELETE endpoint available for deleting a role:

DELETE /ims/api/v1/roles/{id}


User groups

The following table describes the permissions available for managing user groups.

More information: 

PermissionDescription
List

Console-level access

Allows you to list all the user groups on the User groups page.

API-level access

Allows you to run all the GET endpoints and the POST endpoint for searching user groups with the List or Read permission:

GET /ims/api/v1/groups
GET /ims/api/v1/groups/{id}
POST /ims/api/v1/groups/search
Read

Console-level access

Allows you to access the User groups page.

API-level access

Allows you to run all the GET endpoints and the POST endpoint for searching user groups with the List or Read permission:

GET /ims/api/v1/groups
GET /ims/api/v1/groups/{id}
POST /ims/api/v1/groups/search
Create

Console-level access

Allows you to create a user group.

Requires the Read and List permissions in addition to the Create permission.

API-level access

Allows you to run the POST endpoint available for creating a user group:

POST /ims/api/v1/groups
Modify

Console-level access

Allows you to modify a user group.

Requires the following permissions in addition to the Modify permission:

  • To update a user group: User groups: List, Read permissions
  • To update the user associations in the user group: Users > Read permission
API-level access

Allows you to run the following PATCH endpoint available for updating a user group:

PATCH /ims/api/v1/groups/{id}

Allows you to run the following PATCH and PUT endpoints available for updating the user associations in a group.

Requires the Users > Read permission in addition to the User Groups > Modify permission.

PATCH /ims/api/v1/groups/{id}/users
PUT /ims/api/v1/groups/{id}/users

Allows you to run the following POST endpoint available for updating the user mappings in groups:

POST /ims/api/v1/groups/user_mappings
Delete

Console-level access

Allows you to delete a user group.

Requires the Read and List permissions in addition to the Delete permission.

API-level access

Allows you to run the DELETE endpoint available for deleting a user group:

DELETE /ims/api/v1/groups/{id}


LDAP sync agent

The following table describes the permission available for accessing the LDAP sync agent.

More information: Syncing LDAP groups and users

PermissionDescription
Access and downloadAllows you to access and download the LDAP sync agent from the Configure menu.


Related permissions

The following links provide information about permissions available for the integrated products:

  • BMC Helix AIOps permissions Open link
  • BMC Helix Automation Console permissions Open link
  • BMC Helix Cloud Cost permissions Open link
  • BMC Helix Cloud Security permissions Open link
  • BMC Helix Continuous Optimization permissions Open link
  • BMC Helix Dashboards permissions Open link
  • BMC Helix Discovery permissions Open link
  • BMC Helix Intelligent Automation permissions Open link
  • BMC Helix Operations Management permissions Open link
Was this page helpful? Yes No Submitting... Thank you

Comments