User accounts, groups, and permissions for BMC Helix Digital Workplace Catalog
BMC Helix Digital Workplace Catalog server maintains an independent user database, separate from the databases used by other applications, such as BMC Helix Digital Workplace and BMC Helix ITSM. The users are stored in the tenant database and are not shared directly with other applications.
The BMC Helix Digital Workplace Catalog database contains the accounts for users who can request service catalog items. The user database is also where a system administrator or service catalog administrator can specify the permissions for users who can log in to the catalog administration console to manage the service catalog.
User accounts
You create user accounts manually or by running a script to copy the user database from BMC Helix ITSM. After you create the user account, you can entitle the user to view and request catalog items, or promote the user to an administrative role.
User groups
The user groups are automatically created when you run the script to copy the user database from BMC Helix ITSM. BMC Helix Digital Workplace Catalog groups are unique, and do not share any relationship with permission groups that other applications use. The group names include the company, organization, and department attributes of the user records.
You can grant permissions to multiple users that belong to a custom user group to view and request service catalog items.
People groups
Create and manage people groups that end users can add as collaborators. Do not create people groups if you want your end users to add only individual users as collaborators to their requests. Your end users will still be able to create one default group for their personal use.
Important
To add individual users
- In BMC Helix Digital Workplace Catalog, go to People > People Groups.
- Click New Group and create the group, or select an existing group and select Actions > Open.
- Next to Users, click Add.
Select the users you want to add, and click Add.
To filter the list of users, enter a string in the Search box at the top of the User Directory panel.
Important
Only users with Enabled profile status are available for search.
To add users by attributes
- In BMC Helix Digital Workplace Catalog, go to People > People Groups.
- Click New Group and create the group, or select an existing group and select Actions > Open.
- Next to Attributes, click Add and select one of the following options:
Click the ITSM Core tab.
Expand the available categories as needed.
Select the attributes that you want to assign, and click Save.
Important
ITSM Core attributes with no values are displayed as labels in the attributes tree.
- Click the Other Fields tab.
- Expand the available categories as needed.
Select the attributes that you want to assign, and click Save.
To set the group visibility
- In BMC Helix Digital Workplace Catalog, go to People > People Groups.
- Click New Group and create the group, or select an existing group and select Actions > Open.
Select one of the values from the Group Visibility section:
Important
- BMC Helix ITSM administrators will be able to view all the groups.
- End users must refresh their browser for group changes to take effect.- Everyone—Allows all users to add this group as a collaborator to their service requests.
- Group Members—Allows users belonging to the group to add this group as a collaborator to their service requests.
- Custom—Add users (individual or by attribute) who can add this group as a collaborator to their service requests.
Permission levels and groups
When you create a user account, you can specify the capabilities of the account by assigning a permission group. The following table lists the permission levels that you can assign to users accounts.
| Permission level | User role | Permission group | License level | Description |
|---|---|---|---|---|
| Service catalog administrator | Administrator | sbe-catalog-admins | Fixed | Enables a user account to manage all aspects of the service catalog. |
| Asset manager | Asset Manager | sbe-asset-managers | Fixed | Enables a user to manage user entitlements by creating virtual marketplaces. |
| Internal service supplier | Internal Supplier | sbe-internal-suppliers | Fixed | Enables a user to create, modify, and send services and bundles for approval. |
| Internal service supplier administrator | Internal Supplier Administrator | sbe-internal-supplier-admins | Fixed | Enables a user to create, modify, approve, and publish services and bundles. |
| Service agent | Agent | sbe-agents | Fixed | Enables a user to access the BMC Helix Digital Workplace Catalog console to view service requests. |
| Allow BMC Mid Tier access to an administrator | Any administrative role | Administrator | Fixed | Enables a user to any administrative user account to enable the user to log in to BMC Mid Tier. |
BMC Helix Digital Workplace client user | No specified role | sbe-myit-users | Read | Enables a user to request BMC Helix Digital Workplace Catalog services from BMC Helix Digital Workplace. |
Warning
Do not combine the following permission group assignments, or BMC Helix Digital Workplace Catalog features do not work properly:
- Any administrative or agent permission group (sbe-catalog-admins, sbe-internal-suppliers, sbe-internal-supplier-admins, sbe-asset-managers, sbe-agents) and the BMC Helix Digital Workplace client user permission group.
- The BMC Helix Digital Workplace client user permission group and the Administrator permission group.
User account fields
When you create user accounts, you must provide the information in the following table. If you are creating user accounts by using BMC Mid Tier, specify the Field name. If you are passing a JSON text file into a shell script, specify the Key name.
| Field name | Key name | Examples | Description |
|---|---|---|---|
| Full Name | fullName | Hannah Hannah Administrator | Specify the full name of the user. |
| Login Name | loginName | When viewed in BMC Mid Tier, the login name is shown without the tenant domain. Example: hannah_admin When user accounts with the shell scripts method are created, the login name field shows the tenant domain as an environment variable. Example: hannah_admin@${rx_tenant_domain} | Specify the name the user enters to log in to BMC Helix ITSM applications. The Login Name field is case sensitive. For example, following are login names a user would enter when the user's login name is Bob, and the company is
|
| Email Address | emailAddress | hannah_admin@calbroservices.com | Specify the email address used by the account. This address does not need to match the user's login name. |
| License Type | licenseType | Fixed Read | Specify the license type for this user. A Fixed license type is an extended license for administrators and service agents who can manage services in BMC Helix Digital Workplace Catalog. A Read license type goes for end users who can only request services from the catalog in BMC Helix Digital Workplace. In BMC Mid Tier, the Read license type is shown as Restricted Read. |
| Group List | groups | Administrator sbe-catalog-admins ["Administrator", "sbe-catalog-admins"] ["sbe-myit-users"] | Specify the permission group memberships to assign to a BMC Helix Digital Workplace Catalog user account. When you assign permissions by using BMC Mid Tier, add the permission group name as additional entries in the Group List field. When you assign permissions by using a script, enclose the permission group names in an array. For details about permission levels, see Permission levels section on this page. |
| Password | password | Passw0rd! | Specify a password with a minimum of 8 characters and a maximum of 30 characters. The password must include all of the following characters:
To enable a user to view and request services through self-service, the user's credentials must match the BMC Helix ITSM user account. When adding users from BMC Helix ITSM by running the automated user transfer script, you must enable the cross-reference blank password setting in the BMC Mid Tier configuration. Then, for these users to be able to log in, you must enable BMC Helix Single Sign-OnAt this time, only BMC Helix Digital Workplace Catalog administrators who can access the User form on BMC Mid Tier can change user passwords. |
| Status | (Not used) | Current | When you create users by using BMC Mid Tier, set this field to one of the following values:
|
| (Not used) | forcePasswordChangeOnLogin | false | When you create users by using scripts, leave the value set to false. |
Example permissions and fields for a system notification user
BMC Helix Digital Workplace requires a service level user that runs background tasks such as pushing notifications to end users when BMC Helix Digital Workplace Catalog requests are being processed. You must create the user account that will perform these actions, and provide the credentials for this user when you enable the enhanced catalog. These notifications are sent to the BMC Helix Digital Workplace application. To send notifications by email, you must also complete the configuration described in Configuring email notifications.
The following table shows an example of the fields used to create the system notification user. You should specify unique login credentials when creating the system notification user in your environment.
| Field name | Key name | Examples |
|---|---|---|
| Full Name | fullName | System Notification Account |
| Login Name | loginName | sys_notification@calbroservices.com |
| Email Address | emailAddress | sys_notification@calbroservices.com |
| License Type | licenseType | Read |
| Group List | groups | sbe-myit-users Warning: Do not add the Administrator group to any users of the sbe-myit-users group. |
| Password | password | 5Y5_n0tification! |
| Status | (Not used in scripts) | Current |
| (Not on user form) | forcePasswordChangeOnLogin | false |
Example permissions and fields for an enhanced catalog administrator
The administrator who maintains the sections in the enhanced catalog must also be a service catalog administrator in BMC Helix Digital Workplace Catalog. When you follow the installation process steps to create a tenant, the process creates the first service catalog administrator user account for you.
The following table shows an example of the fields used to create the first service catalog administrator user account. You should disable this account and specify unique login credentials when creating additional users in your environment.
| Field name | Key name | Examples |
|---|---|---|
| Full Name | fullName | Hannah Administrator |
| Login Name | loginName | hannah_admin@calbroservices.com |
| Email Address | emailAddress | hannah_admin@calbroservices.com |
| License Type | licenseType | Fixed |
| Group List | groups | ["sbe-catalog-admins", "Administrator"] Warning: Do not combine administrative permissions with the sbe-myit-users group. |
| Password | password | Passw0rd! |
| Status | (Not used) | Current |
| (Not used) | forcePasswordChangeOnLogin | false |
Example permissions and fields for a service agent
A service agent who reviews user requests must be a service agent in BMC Helix Digital Workplace Catalog.
The following table shows an example of the fields used to create a service agent.
| Field name | Key name | Example |
|---|---|---|
| Full Name | fullName | Jim Serven |
| Login Name | loginName | jim_serven@calbroservices.com |
| Email Address | emailAddress | jim_serven@calbroservices.com |
| License Type | licenseType | Fixed |
| Group List | groups | ["sbe-agents", "Administrator"] Warning: Do not combine administrative permissions with the sbe-myit-users group. |
| Password | password | Passw0rd! |
| Status | (Not used) | Current |
| (Not used) | forcePasswordChangeOnLogin | false |
Comments
Log in or register to comment.