User identities

You can control access to BMC Helix Portal integrated products and common services by managing user identities and user access. 

User identity types

Based on the type of access, users in BMC Helix Portal can be local or external.

The following table provides information about the types of access:

Type of accessWhen is it useful?More information

Local access for users in BMC Helix Portal

You want to create and manage users in BMC Helix Portal via the console or the API.

Local user access
External access for users managed by a supported identity provider (IdP)

You already manage users in your identity and authorization system that is supported by Helix Single Sign-On (for example, Okta and Active Directory) and these users need access to the BMC Helix Portal integrated products and common services.

Note: External IdP user access is only supported for licensed users.

External IdP user access

Cross-product access for users synced from BMC Helix ITSM

You want to sync users and associated groups from BMC Helix ITSM into BMC Helix Portal so that the synced users can authenticate into BMC Helix Portal without the need for separate credentials and can use the required integrated products and common services.

This type of access is considered to be external because BMC Helix Portal shares access with users created and managed externally in BMC Helix ITSM. 

Cross-product user access


Local user access

You can create and manage users locally on  BMC Helix Portal. Helix Single Sign-On is used for authenticating users into BMC Helix Portal.

Users can be of two types:

  • Users that require console access
  • API users that require programmatic access

 For more information, see User access

Local users can perform the following operations if they have appropriate permissions:

  • Create, view, and delete other local users, and update their own details. 
  • Create, view, and delete external IdP users.
  • View synced users.
Local users
CreateViewUpdateDelete
(tick)(tick)(tick)(tick)
External IdP users
CreateViewUpdateDelete
(tick)(tick)(error)(tick)
Synced users
CreateViewUpdateDelete
(error)(tick)(error)(error)


External IdP user access

If you already manage user identities by using an external identity provider (IdP) supported by Helix Single Sign-On (for example, Okta and Active Directory), you can request the BMC SaaS Operations team to configure the IdP and import the users. External IdP users can authenticate into BMC Helix Portal by using their existing credentials. For more information, contact BMC Support

What is the impact of moving from local to external IdP authentication?

After you move from local to external IdP authentication, all the local users (including the tenant administrator) cannot access the BMC Helix Portal console.

Therefore, before importing, as a tenant administrator, do one of the following actions based on whether you possess the login credentials of an IdP admin user:

  • Create an external user with the same login ID as the IdP admin.
  • Create a default role. 

To create an external user 

  1. Navigate to the Common Services > User Management page and create at least one external user with the SAML/IdP user type, with the same login ID as the IdP admin user. 
    For more information, see Setting up users for console access.
  2. Create a role, associate the external user(s) to the role, and assign all permissions or at a minimum all permissions to the ims application or service.
    For more information, see Setting up roles and permissions.

After the import, the IdP admin user can log on toBMC Helix Portal and associated the imported users with with the relevant roles containing appropriate permissions.  

To create a default role

Navigate to the Common Services > Roles and Permissions page and create a default role. Assign appropriate permissions to the role. At a minimum, assign all permissions to the ims application or service.

For more information, see Setting up roles and permissions.

What is the impact of creating a default role?

When authenticating into BMC Helix Portal, the imported users are automatically assigned to the default role. These users inherit access permissions from the default role and are listed on the Common Services User Management page. Later, you can assign the imported users to other roles containing more appropriate permissions and delete the default role.


External IdP users can perform the following operations if they have appropriate permissions:

  • View and delete local users.
  • Create, view, and delete other external IdP users, and they can update their own details. 
  • View other synced users.
Local users
CreateViewUpdateDelete
(error)(tick)(error)(tick)
External IdP users
CreateViewUpdateDelete
(tick)(tick)(tick)(tick)
Synced users
CreateViewUpdateDelete
(error)(tick)(error)(error)


Cross-product user access

BMC Helix Portal can share access with BMC Helix ITSM users so that the BMC Helix ITSM users can use their existing credentials to authenticate into BMC Helix Portal. To share access, the BMC SaaS Operations team needs to perform some configurations and sync the BMC Helix ITSM users into BMC Helix Portal. All the licensed users (fixed, floating, and bundled users) and the relevant logical groups are synced. For more information, contact BMC Support

After the configuration, the synced users are displayed on the Common Services > User Management page and the synced groups associated with these users are displayed on the Common Services > Group Management page. These groups are automatically mapped with the correct roles containing appropriate permissions in BMC Helix Portal.  

Synced users cannot be created, updated, or deleted from the BMC Helix Portal console. 

These users can perform the following operations if they have appropriate permissions:

  • View and delete other local users.
  • Create, view, and delete other external IdP users.
  • View other synced users. 
Local users
CreateViewUpdateDelete
(error)(tick)(error)(tick)
External IdP users
CreateViewUpdateDelete
(tick)(tick)(error)(tick)
Synced users
CreateViewUpdateDelete
(error)(tick)(error)(error)

Was this page helpful? Yes No Submitting... Thank you

Comments