This documentation supports the 22.1 version of Action Request System.
To view an earlier version, select the version from the Product version menu.

Creating and modifying users

A user is any person to whom you give permission to access BMC Helix Innovation Suite . Users can be members of multiple groups or no group at all. Users in BMC Helix Innovation Suite  range from an administrator (who maintains the entire system) to employees (who submit requests or view data).

BMC Helix Innovation Suite  includes one predefined user. You can use the User form in a browser to rename this user and create additional users.

Users are assigned to groups according to their need to access information. For example, you might create a group called Employee Services Staff whose members are permitted to view and change only certain fields in an Employee Information form. You might have another group called Employee Services Managers whose members are permitted to view and change all fields in the Employee Information form, including salary information. You can also configure a hierarchical relationship between groups to allow the parent group to inherit the permissions of the child group. For more information about creating groups, see Creating and managing access control groups.

Use the following procedures to create, modify, or delete BMC Helix Innovation Suite  users and to enable users to change their information. You can apply the three Fixed licenses included with BMC Helix Innovation Suite  to new users.

User form access

BMC Helix Innovation Suite  provides following access to User form:

  • The Public group has Hidden permission to the User form.
  • The Dynamic Group Access field on the User form gives users read permission to the following fields: Login Name, Password, and Request ID. These permissions are automatically given to all new users that the administrator creates.

If you customized the User form, these changes might affect your customizations.

These changes enable you to enforce a password policy. See Enforcing a password policy introduction.

To create users

Important

Creating new user may consume additional write licenses in the system depending on the license type. Administrators may want to look at the license usage report to see the impact on licensing.

  1. Log in to a browser.
    If you are the first administrator to log in, you must log in as an administrator and leave the Password field empty. (Remedy AR System user names are case-sensitive.)
    During initial installation, the Demo user is installed as Administrator without a required password. To keep Remedy AR System secure, add a password for this user as soon as possible.
  2. From the AR System Administration Console, select System > Application > Users / Groups / Roles > Users.
    The User form opens in Search mode.
  3. Select Actions > New to switch to New mode.
  4. Enter information in the appropriate fields.


    Field

    Description

    User Information

    Login Name

    Identify the name that the user enters into the User Name field when logging in to BMC Helix Innovation Suite . The name can be the same or different than the user name by which this user is known to the underlying operating system. The dynamic group with an ID of 60988 has read access to this field, enabling the user to view this field if a password policy is established. See Enforcing a password policy introduction.

    You cannot use the word System as a user.

    Full Name

    Full name of the user. By default, this name appears in the Results pane of the User form when users perform a search operation.

    Password

    Identify the password that the user enters when logging in to AR System . This field's length is 30 bytes, so you can enable users to enter as many as 30 bytes.

    Users cannot enter a 28-character password, or an error will occur during authentication.

    The Password field is encrypted into the database by using a one-way hash (SHA-1), so unauthorized users cannot retrieve passwords in clear text, for example, to log in to applications. To enhance system security, select a password that is different from one used for another purpose. If unsecure passwords are needed for applications, store the password in a character field rather than the Password field (field 102). If the Password field is left blank, the AR System server does not validate the password with the user's Windows or UNIX password, unless you configure the server to cross-reference a blank password. See Cross-referencing blank passwords. The dynamic group with an ID of 60988 has read access to this field, enabling the user to view this field if a password policy is established. See Enforcing a password policy introduction.

    Important: While creating a user via the Java driver or Create Entry from API program, if you add leading and trailing spaces to a password string in the Password field, the leading and trailing spaces are retained after you save the user details.

    For example, if you set the password as " password ", the password gets saved as " password ".

    However, while creating a user via Mid Tier, if you add leading and trailing spaces to a password string in the Password field, the leading and trailing spaces are omitted after you save the user details.

    For example, if you set the password as " password ", the password gets saved as "password".

    Therefore, the users created via the Java driver or Create Entry from API program with leading and trailing spaces in their passwords face issues when they log in via Mid Tier. Because Mid Tier sends the passwords to the server for validation after removing the spaces, they do not match the ones that are stored with spaces.

    Group List

    The access control groups to which the user belongs. If you leave this field empty, the user has only basic Submitter, Assignee, Assignee Group, or Public permissions. Specify groups by name or ID, as defined in the Group form. User permissions are determined in the Group List field of the User form. If you later change the Group ID for a group, the users originally assigned to the group are still attached to the old ID. If no group has the old ID, these users lose access to any AR System object for which they do not have permission through another group. If you choose to This field is limited to 4000 bytes, including expanded strings. See User and group access.

    If you create multiple groups with the same ID, the User form displays the first available group name for the selected group id.

    Only an administrator can access the Group List field. The following error is displayed if a non-admin user tries to access the Group List field:

    You have no access to form :Group (ARERR 353)

    Computed Group List

    The names of the computed groups to which the User is a member. The members of a computed group are calculated by the server based on the groups that the user belongs to. This is a display-only field, and the field ID is 121. To search in this field in a query-by-example, enter the ID number of a computed group. To enter more than one computed group ID, include semicolons after each ID. You must enter the computed group IDs in the same order in which the names appear in the Computed Group List field when the user's record is displayed. In the following examples:

    • The ID for Computed Group 1 is 5678.
    • The ID for Computed Group 2 is 6789.

      You can also use the Advanced Search bar with the LIKE operator. Include the semicolon with the complete ID.
      To search for users who are members of Computed Group 1, enter:
      'Computed Group List' LIKE "%5678;%"
      You can also enter a partial ID for the computed group.
      To search for users who are members of both Computed Group 1 and Computed Group 2, enter:
      'Computed Group List' LIKE "%56%" AND 'Computed Group List' LIKE "%89%"

    License Type

    Type of license that the user is assigned:

    • Read
    • Fixed
    • Floating
    • Restricted Read
    • Bundled

    The default is Read. For descriptions of these license types, see License types for users to access AR System server.

    Important:

    • Users with a Read license cannot modify their own records.
    • Users with administrator permissions and AR Fixed license can access BMC Helix Innovation Studio and Developer Studio . To add administrator permissions, add the Administrator group to the Group List field.
    • Users with business analyst permissions and AR Fixed license can access  BMC Helix Innovation Studio  applications that they can access and tailor. To add business analyst permissions, add the Business Analyst group to the Group List field.
    • Users with AR Fixed, AR Floating, Application Fixed, Application Floating, or Read license can use the BMC or Partner applications deployed on BMC Helix Innovation Studio .

    Application License

    Select the applications that you want the users to access.

    For example, BMC Helix Business Workflows User Fixed, where BMC Helix Business Workflows is the name of the application and User Fixed is the type of license. AR System automatically populates this field according to information entered in the application's People form. For more information adding login IDs and access rights, see Updating people information Open link .

    From this release, you can use the menu attached to this field to assign application and/or bundled licenses to users.

    Important:

    • To use AR System -based applications from BMC Software, users need a Remedy AR System user license (to access the AR System server ) and an application user license (to access the application).
    • BMC Helix Innovation Studio users need Application, Floating, Read, or Bundled license to access and use the BMC or Partner applications deployed on BMC Helix Innovation Studio .
    • BMC Helix Innovation Studio users need Fixed, Floating, Read, or Bundled licenses to access BMC Helix Innovation Studio custom applications.
    • AR System server does not allow to assign Application user fixed license to a user having AR User floating license.
    • AR System server does not allow to assign any Application User fixed or floating license to a user having AR User read license.

    Default Notify Mechanism

    Method by which the user is notified for Notify filter and escalation actions when User Default is specified. The default setting on the User form is Alert.

    Email Address

    Email address used to notify the user if email is the notify method.

    Important

    You must associate only one Email Address with one user record to ensure that:

    • The email based approvals work correctly.
    • The outgoing emails are sent without any issues.

    Status

    Defines the status of the user account. This field is for information only. It does not change the status of a user's account. This field is set through workflow if you set a password policy. See Enforcing a password policy introduction. The options are:

    • Current—The account is in use.
    • Disabled—The account is no longer in use.
    Allowed Client Types

    Allows the user to make API calls using only the client types mentioned in the Allowed Client Types field.

    To enter more than one client type ID, include semicolons after each ID. In the following example, the user can make an API call only to Mid Tier , Developer Studio and BMC ProactiveNet Performance Management.

    If the user makes an API call to the Client Type not assigned in the Allowed Client Types field, the API call fails with the following error:

    ARRER 8937: You do not have permission to the client operation.

    If the Allowed Client Type field is left blank, the user can make API calls using any client type. For more information on the list of Client types, see Client Type IDs for API programs.

    Password Management

    Disable Password Management For This User

    Disables password management for the user. If this check box is selected, when the User Password Management Configuration form is updated, the user is not affected. For more information about password management, see Enforcing a password policy introduction.

    Dynamic Group Access

    The dynamic group to which the user belongs.

    Last Password Change for Policy

    The last time the password was changed. AR System automatically updated this field when a user's password is changed.

    Account Disabled Date

    The date the account was disabled, if applicable.

    Force Password Change on Login

    Indicates that the user must change the password. The next time the user logs in, the user is prompted to change the password. After the password is changed, the check box in the User form is automatically cleared through workflow.

    Number of Days Before Expiration

    The numbers of days before a user's password expires if it is not changed.

    Number of Warning Days

    Indicates when a user receives a warning message before the password is set to expire unless changed.

    Days After Expiration Until Disablement

    The number of days after which a user's account is disabled if the password is not changed.

    System Information
    DatatagTags the data record as needed. This field is optional. For example, it can store the name of the application which uses this group.
    Business AnalystAssign business analyst role while creating users or while updating existing user. Business analyst modifies application definitions within applications and libraries for which they have access.
    Bundle ListSelect the bundles or applications that the business analyst can access and tailor.
  5. Save your changes.

Adding and modifying user information

Important

If you use BMC Helix Innovation Suite -based applications, set up users in People form, not in the User form. For more information, see Creating or modifying People data.

In BMC Helix Innovation Suite , you can have registered users and guest users. Each type of user has different privileges within the system, as discussed in the following sections. 

You enter data in the User form to define the components that work together to determine each user's access to AR System : login name, password, group membership, and license type. You also define notification information for each user in this form. For more information, see Restrictions for users and groups.

To grant a user permission for BMC Helix Innovation Suite  objects, add the user to the groups to which access will be given. To make a user part of a group, choose the appropriate group from the Group List menu in the User form. (Multiple group names in the Group List field are separated by spaces.) You can select from the reserved BMC Helix Innovation Suite  groups.

If the group information is returned through external authentication, you cannot be a part of any administrator group. You can be a part of the administrator group only from the User form. For information, see Setting external authentication options and Specifying internal and external authentication.

You can get group information from external authentication only if the Group List is NULL.

For more information, see User and group access.

Restrictions for users and groups

You cannot create other users with more administrative rights than yourself, and you cannot modify your own rights.

The new restrictions are applied to prevent:

  • Creation of an administrative user by a non-administrative user.
  • Creation of an administrative user with access to more overlay groups than the administrative user who created them.

The following restrictions are applied before and after you create or modify any user in the User and Group form.

  • Only an administrator can create, modify, or delete other users belonging to the Administrator, Sub-Administrator, Struct Admin, or Struct Sub-Admin groups. 
    A user must have Group ID 1 (AR Administrator) in the group list to create/modify/delete another user with any of the four administrative class groups in their group list.
  • No Admin user can create or modify a user (themselves included) with lesser administrative restrictions than the user making the modification. 
    For example, an administrator user with Overlay Group 1 cannot create or modify users with no overlay groups. Consider a situation where you have created an ABCGroup with an Overlay Group set to 1. User ABCAdmin is part of Administrator group and ABCGroup. However, ABCAdmin is restricted only to the ABCGroup. ABCAdmin can change (create/modify/delete) any user belonging only to the ABCGroup. For more information about creating a group as an overlay group, see Creating and managing access control groups.
    Additionally, a user cannot create another admin user with the ability to modify base objects if they themselves cannot do it. 

    Best practice

    We recommend that you restrict your users to make modifications only to custom objects and overlays.

  • Only an unrestricted administrator can create, modify, or delete groups that restrict a user’s administrative capabilities.
    Only an administrator with no overlay specific groups can create, modify, or remove overlay specific groups.

To modify user information

  1. From the AR System Administration Console, select System > Application > Users / Groups / Roles > Users.
    The User form opens in Search mode.
  2. Click Search to retrieve a list of defined users.
  3. Select the appropriate user from the list.
  4. Modify information in the appropriate fields. (See the table above.)

  5. Save your changes.

    Warning

    If you modify the Administrator's Fixed license or Administrator group membership before you create another Administrator user, you lose administrator privileges.

To delete users

  1. From the AR System Administration Console, select System > Application > Users / Groups / Roles > Users.
    The User form opens in Search mode.
  2. Click Search to retrieve a list of defined users.
  3. Select the appropriate user from the list.
  4. Choose Actions > Delete.
    A confirmation box appears to verify that you want to delete the selected users.
  5. Click OK.

    Warning

    If you delete the Administrator before you create another Administrator user, you lose administrator privileges.

To enable users to change user record information

  1. Open the User form in Developer Studio .
  2. Make the User form's Assigned To field visible. (By default, the field is hidden.)
    1. Double-click the Assigned To field to open the field Properties dialog box.
    2. In the Display tab, clear the Hidden check box.
  3. Give the Assignee group Change permission for the Password, Default Notify Mechanisms, or Email Address fields.
  4. Give public "visible" permissions.
    See Field permissions.
  5. Save your changes, and close Developer Studio .
  6. In a browser, open the AR System Administration Console, and select System > Application > Users / Groups / Roles > Users.
    The User form opens in Search mode. The Assigned To field is visible in the User form.
  7. Retrieve a list of defined users.
  8. Select the appropriate user from the list.
  9. Copy the Login name to the Assigned To field to make the user the Assignee.
    By using the Assignee group, you enable the user to modify the user's password, default notification mechanism, or email address.
    You can also make the user the Submitter by entering the same name in the Login name field and in the Creator field.
  10. Save your changes.
Was this page helpful? Yes No Submitting... Thank you

Comments