×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

To view an earlier version, select the version from the Product version menu.
BMC Helix Single Sign-On 22.1 Administering

Managing local users and passwords

As a BMC Helix Single Sign-On administrator, you can create users stored locally on the BMC Helix Single Sign-On server for any realm with Local authentication type. Local users can access applications belonging to their realm. You can also add local groups, and then add users to these groups. Groups represent roles in your organization and can be used to control access to applications for which the single sign-on experience is enabled. For the difference between user, end user, and local user, see Glossary.


Related topics

Configuring Local authentication

Password change mechanisms


Creating and managing local users in the BMC Helix SSO Admin Console

If you have a realm configured for Local authentication on the BMC Helix SSO, then you should perform the following tasks in the BMC Helix SSO Admin Console:

  1. Create local users for a realm.
  2. (Optional) Create groups needed by your organization, and then add users to the appropriate groups.

Before you begin

Configure a realm for Local authentication.

To add a local user

  1. Log in to the BMC Helix SSO Admin Console.

  2. Select Local User > Users.

  3. From the Realm list, select a realm.

    Important

    To authenticate a user in all realms available on your BMC Helix SSO server, add it to the default _empty_ realm. This is a technical realm, and it is not shown on the Realms page.

    Users added to the _empty_ realm can access applications from any realm available on the BMC Helix SSO server.

  4. Click Add User, and complete the following fields:

    FieldDescription
    Login Name

    Enter the user's login name. The Login name is case insensitive.

    You cannot modify the login name after it is created.

    User Name Enter the user's full name.
    PasswordEnter the user's password. Password must be different from login and email, be between 8 and 128 characters, contain uppercase letters, lowercase letters, digits, and special characters. Do not use space as the first or the last character of the password. Spaces are allowed between the first and the last character.
    Confirm PasswordReenter the user's password.
    Description (Optional)Provide a description of the user.
    Enabled (Optional)Select this option to enable or disable a user in the BMC application. If you disable a user who is currently logged in to a BMC application, ensure that you invalidate the old sessions or OAuth2 tokens (if any) of the user. For more information, see Invalidating and configuring end user sessions.
    Force user to reset password (Optional)

    Select this option to force a local user to reset password. For more information, see To force a local user to reset password.

  5. Click Add.

To change a local user's password 

  1. Log in to the BMC Helix SSO Admin Console.

  2. Select Local User > Users.

  3. From the Realm list, select a realm.

  4. Locate the user, and in the Action column, click Change Password.
  5. In the New Password field, enter the new password, and the Confirm Password field, enter the password again.
  6. Click Change Password.
    All local users' sessions are removed after the password change.

To enable the lockout functionality for local users

Local user account lockout is configurable per tenant. This functionality is not available in the chaining mode.

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Configuration.

  3. In Lockout threshold, select the number of unsuccessful login attempts after which the local user's account is locked.

    Important

    To disable the account lockout functionality, select 0.

    For example, if you select 3, the local user will be locked after the third attempt to log in with an incorrect password.
    For fresh installation and newly created tenants on the upgraded environment, the default lockout threshold is 5. For upgrade, the default value is 0.
    The number of unsuccessful login attempts is calculated within 1 min.

  4. In Lockout interval, select the duration for which the local user account is locked.
    The default lockout interval is 30 min.

To unlock a locked local user account

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Users.
  3. Click the lock icon.

A locked local user account can also be unlocked in the following ways:

  • The system unlocks the local user account automatically within 10 min after the lockout interval expires.
  • Local users unlock themselves when providing correct credentials after the lockout interval expires.

The cross and lock icons are shown when a local user is locked.

The following screenshot shows the local user's login page after the user has provided correct credentials, but the account has been locked:

To force a local user to reset password

For security reasons, the BMC Helix SSO administrator can force users to reset password when they successfully log in to the BMC application integrated with BMC Helix SSO. Users must enter a new password that is not the same as previous. After the user resets the password, the Force user to reset password check box becomes cleared.

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Users.
  3. From the Realm list, select a realm.
  4. Locate the user, and in the Action column, click Edit User.
  5. Select the Force user to reset password check box.
    You can also select this check box while adding a local user.
  6. Click Save.
  7. (Optional) To force several users to reset password, repeat steps 3-6.

The following screenshot shows the local user's login page after forced password reset:


To search for a local user

  1. Log in to the BMC Helix SSO Admin Console.

  2. Select Local User > Users.

  3. In the Users tab search field, enter the search criteria by using the following format:
    text=<searchText/*> AND enabled=<true/false/*>

  4.  Click Enter.

The following table describes how to use the search criteria:

Search criteriaDescription
text=<searchText/*>

Use text= to enter a string to search for the value of one of the following fields:

  • User Name
  • Login Name
  • Description

You can pass a partial search value enclosed in % for text to search for all users having the partial search value in one of the User Name, Login Name, or Description fields.

You can use an asterisk as a wildcard to return all users.

Examples:

  • text=BMC returns users with the exact value of "BMC" in one of the 3 fields.
  • text=%BMC% returns users with "BMC" as a partial value, such as "BMCadmin" as User Name.
  • text=* AND enabled=true returns all enabled users.
enabled=<true/false/*>

Use enabled= to enter a string to search on users' enabled state.

You can use an asterisk as a wildcard to return users in any enabled state.

Examples:

  • enabled=false returns disabled users.
  • text=* AND enabled=* returns all users (enabled and disabled).
  • text=BMC AND enabled=true returns all enabled users with the exact value of "BMC" in one of the 3 fields.

To add a group to a realm

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select Local User > Groups.
  3. From the Realm list, select a realm.

  4. Click Add Group, and complete the following fields:

    FieldDescription
    Group Name

    Enter the group name.

    You cannot modify the group name after it is created.

    DescriptionEnter a description for the group name.

  5. In the Action column, click Save.

To add or remove local users from a group

  1. Log in to the BMC Helix SSO Admin Console.
  2. Select the Local User > Groups.
  3. From the Realm list, select a realm.
  4. Locate the group and, in the Action column, click Assign/Remove User(s).
  5. Use the appropriate procedure to assign or remove users to or from the group.
    • To assign users to a group
      • In the Available users column, select one or more users and click Assign to move the users to the Assigned users column.
      • To assign all users in the list, in the Available users column, select the top check box and click Assign to move the users to the Assigned users column.
      • Search for users in the Search field of the Available users column, select them, and click Assign to move them to the Assigned users column.
    • To remove users from a group
      • In the Assigned users column, select one or more users and click Remove to move the users to the Available users column.
      • To remove all users in the list, select the top check box in the Assigned users column, and click Remove to move the users to the Available users column.
      • Search for users in the Search field of the Assigned users column, select them, and click Remove to move them to the Available users column.
  6. Click Done.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Priya Shetye on Feb 27, 2024
help_local_user task reference

Comments

Log in or register to comment.

Enabling authentication chaining mode
Configuring OAuth 2.0
© Copyright 2013 - 2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.