Managing groups

Every user of the BMC Helix Discovery system must be a member of one or more groups. Membership of groups defines the various BMC Helix Discovery modules that a user is entitled to access. For example, users defined as members of the System group can create and edit user details, while members of the Public group cannot access these areas.

Important

If you are using an instance of BMC Helix Discovery for BMC Helix Portal and BMC Helix AIOps users (commissioned after 1 June 2021), you should manage users and groups in BMC Helix Portal Open link .

The BMC Helix Discovery permissions that you can configure in BMC Helix Portal are described in Roles and permissions using BMC Helix Portal.

Related topics

Managing users and security

Integrating with BMC Helix Single Sign-On

Administering

To log in, a user must be in a group that has security/user/passwd, appserver/login, appserver/module/home and model/datastore/partition/Default/read permissions. Only the following default groups have this permission—readonly, public, system, and admin. Every user must be a member of one of these groups, or a member of a custom group that has at least these permissions. For example, a user who is in only the discovery group cannot login. You should put a user who requires access to discovery commands into the discovery and public groups.

The BMC Helix Discovery Administrator is responsible for setting up details of all user groups in the BMC Helix Discovery system.

Each group is a collection of permissions. Permissions control granular access to BMC Helix Discovery modules and are described in Group Permissions.

The default security groups

The default user groups and their security access rights are as follows:

admin—These users have the highest level of customer access to the system.
api-access—These users can read and write to some of the model and control some of reasoning. This group is intended for users of the external APIs.
appmodel—These users can write and edit patterns, and create nodes to model business applications. They cannot view credentials but can run discovery (in order to test patterns).
cmdb-export-administrator—These users have access to all of the export-related data. They can build, modify, delete and run Exporters.
discovery—These users have access to all of the discovery-related data. They can start and stop discovery, add and remove credentials, and enable or disable audit logging.
event-source—These users are able to create events for any event source.

never-deactivate—These users are never deactivated, even if they are inactive (not logged into the UI or used the API) for longer than the account deactivation threshold.

public—These users have read/write access to all of the system although they cannot access the discovery credentials.
readonly—These users have read only access to the system. They cannot view the credentials for logging into target hosts.
system—These users have full access to the system.
unlocker—These users are able to unlock and unblock user accounts which have been locked or blocked after exceeding the number of permitted authentication failures.

Listing all current groups

From the main menu, click the Administration icon.
The Administration page opens.
In the Security section, click User Groups.
The Groups page lists all the current groups and allows you to edit details, delete groups, or create a new group.

To create a new group

From the Groups page, click Add at the bottom of the page.
The Add Group page is displayed. The page is arranged into functional areas, and then subdivided into columns. The arrangement of the columns from left to right is as follows:
- Wildcard—Contains items which when checked, select a number of permissions. When you mouse over a wildcard permission, it and the permissions it applies are highlighted.
- Read—Read permissions relating to the functional area.
- Write—Write permissions relating to the functional area.
- Misc—Miscellaneous permissions relating to the functional area, such as appliance reboot.
In Group name, enter a name for the new group.
Select the check boxes that indicate the BMC Helix Discovery modules that members of this user group are allowed to access.
The * wildcard matches anything, so selecting this check box will give unrestricted access to everything in the system.
to save the changes, click OK.
After the group is set up, you can add users. For more information, see Managing system users.

To amend group details

You can change a group name and the modules that group members can access. The access defined by the group membership will apply the next time users in this group log in.

From the Groups page, click Edit next to the user.
The page is redisplayed showing editable fields.
Amend or overwrite the Name field.
Select one or more check boxes corresponding with the BMC Helix Discovery modules that members of this group can access.
To save the changes, click OK.

To delete a group

You can delete any group provided you have created it initially. You cannot delete either the public or the system groups.

From the Groups page, click Delete next to the group to be deleted.

The group is deleted, and the system does not display any confirmation.

Group permissions

The following table lists the permissions assigned by default to each group in BMC Helix Discovery. The individual permissions are described in System Group Permissions by Category.

Group	Read	Write	Other (Misc)
`admin`	`admin/channel/read` `admin/dns/read` `admin/interface/read` `admin/log/read` `admin/loglevel/read` `admin/mail/read` `admin/routing/read`	`admin/channel/write` `admin/dns/write` `admin/interface/write` `admin/loglevel/write` `admin/mail/write` `admin/routing/write`	`admin/category/createmodify` `admin/import/csv` `admin/log/delete` `admin/log/info`
`api`		`api/datastore/write`	`api/access api/datastore/import api/event_source api/license_data`
`appliance`	`appliance/info/read`	`appliance/info/write`	`appliance/backup` `appliance/maintenance` `appliance/reboot` `appliance/reportsusage/reset` `appliance/restart` `appliance/shutdown` `appliance/support` `appliance/updatedevices`
`appserver`	`appserver/module/*`		`appserver/debug` `appserver/login appserver/sessionaccess` `appserver/module/Application` `appserver/module/Discovery` `appserver/module/Home` `appserver/module/Infrastructure` `appserver/module/Reports` `appserver/module/Setup` `appserver/module/System`
`baseline`	`baseline/read`		`baseline/admin` `baseline/update`
`cluster`			`cluster/file_distribution` `cluster/management` `cluster/monitored_operation`
`cmdb_sync`			`cmdb_sync`
`consolidation`	`consolidation/read`	`consolidation/consolidation/write` `consolidation/discovery/write`
`discovery`	`discovery/filters/read` `discovery/kslave/read` `discovery/options/read` `discovery/platforms/read`	`discovery/filters/write` `discovery/kslave/write` `discovery/options/write` `discovery/platforms/write`	`discovery/credentials/test` `discovery/host/access` `discovery/management discovery/port/settings`
`model`	`model/audit/read` `model/datastore/partition/*/read` `model/datastore/main/read` `model/datastore/partition/Audit/read` `model/datastore/partition/Conjecture/read` `model/datastore/partition/DDD/read` `model/datastore/partition/Default/read` `model/datastore/partition/Logs/read` `model/datastore/partition/Taxonomy/read` `model/datastore/partition/_Configuration/read` `model/datastore/partition/_System/read` `model/taxonomy/nodekind/read` `model/taxonomy/relkind/read` `model/taxonomy/rolekind/read`	`model/audit/write` `model/datastore/partition/*/write` `model/datastore/main/write` `model/datastore/partition/Audit/write` `model/datastore/partition/Conjecture/write` `model/datastore/partition/DDD/write` `model/datastore/partition/Default/write` `model/datastore/partition/Logs/write model/datastore/partition/Taxonomy/write` `model/datastore/partition/_Configuration/write` `model/datastore/partition/_System/write` `model/taxonomy/nodekind/write` `model/taxonomy/relkind/write` `model/taxonomy/rolekind/write`	`model/audit/admin` `model/audit/purge` `model/datastore/admin` `model/datastore/internal/cluster` `model/search/cancel` `model/search/list`
`reasoning`	`reasoning/events/read` `reasoning/ranges/read`	`reasoning/events/write` `reasoning/pattern/write` `reasoning/ranges/write`	`reasoning/events/state` `reasoning/internal` `reasoning/open_scan` `reasoning/pattern/config` `reasoning/pattern/execute` `reasoning/provider` `reasoning/start` `reasoning/startstop` `reasoning/status` `reasoning/stop`
`reports`	`reports/read`	`reports/write`
`security`	`security/group/read` `security/options/read` `security/user/read`	`security/group/write` `security/options/write` `security/user/write`	`security/https/admin` `security/sessions/view` `security/user/activate` `security/user/never_deactivate` `security/user/passwd`
`system`	`system/configuration/read` `system/settings/read`	`system/configuration/write` `system/settings/write`	`system/licensing`
`ui`			`ui/appmodelling/edit` `ui/appmodelling/publish` `ui/dashboard/admin` `ui/datastore/admin` `ui/report/admin` `ui/taxonomy/admin`
`vault`	`vault/credential_types/read` `vault/credentials/read`	`vault/credentials/write`	`vault/credentials/export vault/close` `vault/open` `vault/passphrase`

System group permissions by category

The system group security permissions are shown by category in the following tables.

There are no permissions that restrict access to patterns. All logged-in users can view patterns.

Appliance administration permissions

The following table lists the group permissions relating to the appliance administration.

Permission	Definition
`admin/category/createmodify`	Enables you to create and modify categories from the Custom Categories page. To navigate to the Custom Categories page: From the main menu, click the Administration icon. The Administration page opens. In the Model section, click Custom Categories. For more information, see Setting up standard data categories.
`admin/channel/read` `admin/channel/write`	Enables you to create and modify channels from the Channels page.Not applicable to BMC Helix Discovery.
`admin/dns/read` `admin/dns/write`	Enables you to read or write DNS information.Not applicable to BMC Helix Discovery.
`admin/import/csv`	Enables you to import CSV data from the Import CSV Data page.Not applicable to BMC Helix Discovery.
`admin/interface/read`	Enables you to view interface information from the Appliance Configuration page for network interfaces.Not applicable to BMC Helix Discovery.
`admin/interface/write`	This permission is not used.
`admin/log/delete`	Enables you to delete log files.Not applicable to BMC Helix Discovery.
`admin/log/info`	Enables you to view log information.Not applicable to BMC Helix Discovery.
`admin/log/read`	Enables you to read log files.Not applicable to BMC Helix Discovery.
`admin/loglevel/read` `admin/loglevel/write`	Enables you to read or write the appliance log level from the Logs page.Not applicable to BMC Helix Discovery.
`admin/mail/read` `admin/mail/write`	Enables you to view email configuration information from the Appliance Configuration page for mail settings.Not applicable to BMC Helix Discovery.
`admin/routing/read` `admin/routing/write`	Obsolete permissions.

API permissions

The following table lists the group permissions relating to API operations.

Warning

The data/write API allows you to modify almost all of the data in the BMC Helix Discovery datastore. Some changes can violate the system’s expectations about the contents of nodes and relationships, and lead to errors in the user interface or in system behavior. For this reason you should avoid using the API to modify data maintained by the core system or by patterns. In general, the API should only be used to:

Add new nodes and relationships that are separate from those maintained by the system
Augment nodes that are maintained by the system by adding new attributes and relationships to them, while leaving their existing attributes and relationships unchanged

Because the API is intended for high volume data manipulation use cases, use of the API does not create Audit records. The api/datastore/write permission should only be given to users that have a specific need for it.

Permission	Definition
`api/access`	Enables you to access the external APIs.
`api/datastore/write`	Enables you to access the data/write API, that enables you to modify almost all of the data in the BMC Helix Discovery datastore. Before granting this permission, ensure that you have read and understood the warning above.
`api/datastore/import`	Enables you to access the data/import API, that enables you to import data into the BMC Helix Discovery datastore.
`api/event_source`	Enables you to create events for any event source. For more information, see Polling vCenter servers.
`api/license_data`	Enables you to retrieve BMC Helix Discovery license data.

Appliance permissions

The following table lists the group permissions relating to appliance operations.

Permission	Definition
`appliance/backup`	Enables you to perform an appliance backup or restore.Not applicable to BMC Helix Discovery.
`appliance/info/read` `appliance/info/write`	Enables you to view instance information (identity, support information, read-only information about the instance software configuration, and so on) from the Configuration page. To navigate to the Configuration page: From the main menu, click the Administration icon. The Administration page opens. In the Instance section, click Configuration. For more information, see Setting the instance identification.
`appliance/maintenance`	Enables you to put the appliance into maintenance mode from the Appliance Control page.Not applicable to BMC Helix Discovery.
`appliance/reboot`	Enables you to reboot the appliance from the Appliance Control page.Not applicable to BMC Helix Discovery.
`appliance/reportsusage/reset`	Enables you to reset the report usage statistics.
`appliance/restart`	Enables you to restart the appliance from the Appliance Control page.Not applicable to BMC Helix Discovery.
`appliance/shutdown`	Enables you to shut down the appliance from the Appliance Control page.Not applicable to BMC Helix Discovery.
`appliance/support`	Enables you to access the Appliance Support page.Not applicable to BMC Helix Discovery.
`appliance/updatedevices`	Enables you to update device definition files.

Appserver permissions

The following table lists the group permissions relating to the appserver.Not applicable to BMC Helix Discovery.

Permission	Definition
`appserver/debug`	Enables you to debug the appserver.
`appserver/login`	Enables you to log in to the appserver.
`appserver/module/*`	Enables you to access any module.
`appserver/module/name`	Enables you to access the given module. The name is one of the following: • Application • Discovery • Home • Infrastructure • Reports • Setup • System
`appserver/sessionaccess`	The user is allowed to see other user's sessions.

Baseline permissions

The following table lists the group permissions relating to baselining.Not applicable to BMC Helix Discovery.

Permission	Definition
`baseline/admin`	Enables you to change the baseline configuration. Not applicable to BMC Helix Discovery.
`baseline/read`	Enables you to view the baseline configuration from the Appliance Baseline page.
`baseline/update`	Enables you to update the baseline configuration after changes have been seen from the Appliance Baseline page.

Cluster permissions

The following table lists the group permissions relating to clustering. Not applicable to BMC Helix Discovery.

Permission	Definition
`cluster/file_distribution`	An internal permission. Do not use this.
`cluster/management`	Enables you to perform cluster management operations. Not applicable to BMC Helix Discovery.
`cluster/monitored_operation`	An internal permission. Do not use this.

CMDB synchronization permissions

The following table lists the group permissions relating to CMDB synchronization.

Permission

Definition

cmdb_sync

Enables you to configure and manage CMDB synchronization.

For more information, see see CMDB synchronization.

Consolidation permissions

The following table lists the group permissions relating to consolidation. Not applicable to BMC Helix Discovery.

Permission	Definition
`consolidation/consolidation/write`	Enables you to change the configuration on the consolidation appliance.
`consolidation/discovery/write`	Enables you to add new consolidation targets to a scanning appliance from the Discovery Consolidation page on the UI.
`consolidation/read`	Enables you to view the consolidation setup page from the Discovery Consolidation page on the UI.

Discovery permissions

The following table lists the group permissions relating to discovery.

Permission	Definition
`discovery/credentials/test`	Enables you to test discovery credentials. For example, from the UI, you can test • Discovery credentials from the Credential Tests tab. • Mainframe credentials from the Mainframe Credential Tests tab. For more information about Discovery and Mainframe Credentials, see Testing credentials.
`discovery/filters/read` `discovery/filters/write`	Enables you to view and modify sensitive data filters from the Sensitive Data Filters page of the UI. To navigate to the page: From the main menu, click the Administration icon. The Administration page opens. In the Discovery section, click Sensitive Data Filters. For more information, see Masking sensitive data.
`discovery/host/access`	Enables you to query a host on the network. For more information, see Query Builder.
`discovery/kslave/read` `discovery/kslave/write`	Enables you to view and modify the Windows proxies. Not applicable to BMC Helix Discovery.
`discovery/management`	An internal permission. Do not use this.
`discovery/options/read` `discovery/options/write`	Enables you to read the discovery options. These are separate from the main system settings.
`discovery/platforms/read` `discovery/platforms/write`	Enables you to view and amend the platform discovery commands from the Discovery Platforms page. • `discovery/platforms/read`—View the platform discovery commands. • `discovery/platforms/write`—Amend the platform discovery commands. You can view and amend the platform discovery commands from the Discovery Platforms page of the UI. To navigate to the page: From the main menu, click the Administration icon. The Administration page opens. In the Discovery section, click Platforms. For more information, see Managing the discovery platform scripts.
`discovery/port/settings`	Enables you to configure the port settings that Discovery uses. You can manage the port settings from the Discovery Configuration page on the UI. To navigate to the page: From the main menu, click the Administration icon. The Administration page opens. In the Discovery section, click Discovery Configuration. For more information, see port settings.

Model permissions

The following table lists the group permissions relating to the model.

Permission	Definition
`model/audit/admin`	Enables you to administer the audit service. You can configure the reporting on audit events from the Audit Logs page. To navigate to the Audit Logs page: From the main menu, click the Administration icon. The Administration page opens. In the Security section, click Audit. Click Audit Logs. For more information, see the Auditing the system page.
`model/audit/purge`	Enables you to purge the audit log. You can purge the audit log of all events that are over one month old (events less than one month old cannot be deleted) from the Audit Purge page. To navigate to the Audit Purge page: From the main menu, click the Administration icon. The Administration page opens. In the Security section, click Audit. Click Purge. For more information, see purging audit logs.
`model/audit/read` `model/audit/write`	Enables you to read or write to the audit log.
`model/datastore/admin`	Enables you to administer the datastore.
`model/datastore/internal/cluster`	An internal permission. Do not use this.
`model/datastore/main/read` `model/datastore/main/write`	Enables you to read or write to the datastore through the UI.
`model/datastore/partition//read` `model/datastore/partition//read`	Enables you to read or write to any partition which supports user interaction. For more information, see the Partitions and history page.
`model/datastore/partition/name/read` `model/datastore/partition/name/write`	Enables you to read or write to the given partition. The name is one of: _Configuration _System Audit Conjecture DDD Default Logs Taxonomy For more information, see the Partitions and history page.
`model/search/cancel` `model/search/list`	Enables you to cancel or list (view) searches submitted by all users. To navigate to the Search Management page: Click Administration. In the Model section, click Search Management. For more information about viewing and cancelling searches, see Using the Search service.
`model/taxonomy/nodekind/read`	Enables you to read node information.
`model/taxonomy/nodekind/write`	Enables you to write node information.
`model/taxonomy/relkind/read`	Enables you to read relationship information.
`model/taxonomy/relkind/write`	Enables you to write relationship information.
`model/taxonomy/rolekind/read`	Enables you to read role information.
`model/taxonomy/rolekind/write`	Enables you to write role information.

Reasoning permissions

These permissions relate to reasoning.

Permission	Definition
`reasoning/events/read` `reasoning/events/state` `reasoning/events/write`	An internal permission. Do not use this.
`reasoning/internal`	An internal permission. Do not use this.
`reasoning/open_scan`	Enables you to add IP addresses to an open scan.
`reasoning/pattern/config`	Enables you to configure patterns. For more information, see Pattern Configuration.
`reasoning/pattern/execute`	Enables you to execute patterns. For more information, see Manual pattern execution.
`reasoning/pattern/write`	Enables you to write patterns using pattern templates from the appliance. The pattern templates can be downloaded from the Pattern Management page: Click Discovery. Click Pattern Management. For more information, see using pattern templates.
`reasoning/provider`	An internal permission. Do not use this.
`reasoning/ranges/read`	Enables you to view the Discovery Status page. The status of the discovery process displays on the Home tab in the Discovery Status summary. This page also displays the current status of the reasoning process. For more information, see Viewing discovery status page.
`reasoning/ranges/write`	Enables you to cancel scans. You can cancel scans from the Discovery Status page. To navigate to the Discovery Status page: Click Discovery. Click Discovery Status. For more information, see Viewing discovery status.
`reasoning/start`	Enables you to start reasoning. Not applicable to BMC Helix Discovery.
`reasoning/startstop`	Enables you to start and stop reasoning. Not applicable to BMC Helix Discovery.
`reasoning/status`	Enables you to view the reasoning status information. Not applicable to BMC Helix Discovery.
`reasoning/stop`	Enables you to stop reasoning. Not applicable to BMC Helix Discovery.

Reports permissions

The following table lists the group permissions relating to Reports.

Permission

Definition

reports/read

reports/write

Enables you to read reports.

Enables you to write reports.

Security permissions

The following table lists the group permissions relating to security.

`security/group/read` `security/group/write`	Enables you to view and configure group membership to a user. • `security/group/read`—View the user group names and the corresponding permissions. • `security/group/write`—View, edit, delete, and create new groups. You can manage user groups from the Groups page of the UI. To navigate to the page: From the main menu, click the Administration icon. The Administration page opens. In the Security section, click Groups.
`security/https/admin`	Enables you to configure the HTTPS settings. Not applicable to BMC Helix Discovery.
`security/options/read` `security/options/write`	Enables you to view and configure the user security information. Not applicable to BMC Helix Discovery.
`security/sessions/view`	Enables viewing the discovery session log file.
`security/user/activate`	Enables you to unlock and reactivate accounts for other users from the Users page of the UI. To navigate to the page: From the main menu, click the Administration icon. The Administration page opens. In the Security section, click Users.
`security/user/never_deactivate`	These users are never deactivated, even if they are inactive (not logged into the UI or used the API) for longer than the Account Deactivation threshold.
`security/user/passwd`	Enables you to change their own BMC Helix Discovery password from the UI.
`security/user/read` `security/user/write`	Enables you to view and configure the user security information. Not applicable to BMC Helix Discovery.

System permissions

The following table lists the group permissions relating to system settings and configuration.

Permission	Definition
`system/configuration/read`	Enables you to read system configuration.
`system/configuration/write`	Enables you to write system configuration.
`system/settings/read`	Enables you to read system settings.
`system/settings/write`	Enables you to write system settings.

UI permissions

The following table lists the group permissions relating to specific user interface operations.

Permission	Definition
`ui/dashboard/admin`	Enables you to administer the dashboard.
`ui/datastore/admin`	Enables you to administer the datastore.
`ui/taxonomy/admin`	Enables you to administer the taxonomy.
`ui/report/admin`	Enables you to access the Generic Search Query page and enter search queries. To navigate to the Generic Search Query page: Click the Search icon to the left of the Search box at the top right of the User Interface. The Search Options in the drop down panel is displayed. Click the Generic Search Query link. For more information, see Using the Search service. By default, all admin users get this permission.

Vault permissions

The following table lists the group permissions relating to the credential vault.

Permission	Definition
`vault/close vault/open` `vault/passphrase`	Not applicable to BMC Helix Discovery.
`vault/credential_types/read`	Enables you to manage the following types of credentials which are based on the system to access: Device—To log on to hosts running a Unix, Linux OS, or Windows OS, or any SNMP enabled device such as routers and switches. Database—To query databases. Middleware—To query middleware such as web and application servers, and so on. Management System—For vCenter, vSphere, and mainframe credentials. You can view and manage the credentials types from the Credentials page of the UI. To navigate to the page, from the main menu, select Manage > Credentials. For more information, see the Credentials page.
`vault/credentials/export`	Enables you to export the credential vault. When you export the vault, sensitive values, such as passwords, are encrypted in the export file using a key. The key is protected by a guard passphrase, which must be at least 8 characters in length. You can view and manage credentials from the Credentials page of the UI: From the main menu, click Manage > Credentials. For more information, see the Credentials page.
`vault/credentials/read` `vault/credentials/write`	Enables you to view and manage credentials (For example, Windows proxies, vSphere credentials, and so on). • `vault/credentials/read`—View the credentials. • `vault/credentials/write`—Manage the credentials. You can view and manage credentials from the Credentials page of the UI: From the main menu, click Manage > Credentials. For more information, see the Credentials page.

Note

The 'all' permission (*) allows the user to perform any tasks in BMC Helix Discovery. Each user has a token which is assigned by the security system and whenever a privilege is requested by a user, the security service checks the database to see if that particular user has permission to carry out that particular task.

However, the first check that BMC Helix Discovery carries out is to see if the user has the * permission. If the answer is yes, no further privilege checks will be carried out.