Roles and permissions
You can use roles and permissions to configure role-based access control (RBAC) for all the integrated products from a central place. You do not need to manage authorization and RBAC for each of the integrated products separately.
You can configure roles to delegate access permissions to users and groups of users.
Out-of-the box roles and permissions
You can view all the out-of-the-box roles inherited from the integrated products on the Roles and permissions page of the BMC Helix Portal console. The tenant administrator can set up additional roles and assign appropriate permissions to them.
All the permissions available for assigning to a role are inherited from the individual integrated products. You cannot create new permissions. You can only assign existing permissions while creating or editing roles. You can assign permissions for viewing (also known as listing), creating, modifying, deleting, or managing objects. You can assign one or more permissions to roles as needed.
As a tenant administrator, you can control access to various features available with the integrated products and common services at a granular level.
The following image displays a few out-of-the-box permissions:
- Application or Service indicates the integrated products or common services.
- Resource indicates the objects to which you want to provide permissions.
- Permission indicates the level of access that you want to provide.
Access permissions for users and groups
As a tenant administrator, you can manage authorization for individual users, irrespective of their type, by granting them appropriate access permissions. You can grant these permissions while creating a role and assigning individual users and groups to the role. For effectively managing role-based access control (RBAC), we recommend that you add users to groups and assign groups to roles.
You can limit access permissions for users at a granular level. For example, you can grant permissions to only specific BMC products and common services. You can go a step further and grant permissions to only specific objects or features related to the products and services. You can even control the level of access that you want to grant for those objects. For example, you can restrict access to only viewing or only creating the objects. You can assign these granular-level permissions to a user via a role. Granular permissions enable tenant administrators to grant appropriate access to users across products and common services.
Roles can be of the following types. You can assign an appropriate role type to provide permissions for accessing and using the integrated products and common services.
- Role: Can be configured to provide permissions to individual users or groups.
- Composite role: Can be configured to provide multiple roles to individual users or groups.
Composite roles contain other roles. You cannot assign permissions to composite roles directly. Composite roles inherit the permissions of the associated roles.
In addition, you can enable a role to become a default role to provide access permissions to users imported from an external identity provider (IdP).
When assigning groups to roles, you need to understand how the permissions affect child groups nested under the parent group. For more information, see Groups.
Where to go from here
To create, edit, or delete a role, see Setting up roles and permissions.