• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC Helix Single Sign-On 22.1

    Page tree

     

    This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

    To view an earlier version, select the version from the Product version menu.


    Actions that the administrator can perform in the BMC Helix Single Sign-On Admin Console depend on their role and permissions. 

    Related topics

    Planning



    Setting up BMC Helix SSO administrator accounts

    User roles

    As an administrator in the BMC Helix SSO Admin Console, you can have one of the following roles:

    RoleDescription
    SaaS administrator

    SaaS administrator users have full rights to create, activate, delete, or temporarily deactivate other tenants. Users with this role can view and change the configuration of any tenant registered on the BMC Helix SSO server.

    From the SaaS tenant, SaaS administrators can create other SaaS administrator users.

    From a customer tenant, SaaS administrators can create tenant administrator users.

    Tenant administrator

    Tenant administrator users have full rights to manage local users for realms in their tenant.

    Starting from Helix SSO 21.3 release, Tenant administrators can perform the following actions in the BMC Helix SSO Admin Console:

    • Review and change Helix SSO configuration through the admin console.
    • Use Helix SSO admin REST APIs, which includes but not limited to:
      • modify allowed by SaaS Admin realms and IdPs in them.
      • manage local users or groups.
      • customize the end-user login page.
      • define login id transformation policies.
    • Review users logged into the system on the Session tab.
    • Review user and administrator related audit events.
    • Troubleshoot authentication issues independently.

    Starting from Helix SSO 22.1 release, Tenant administrators have access to edit OAuth2 settings in the BMC Helix SSO Admin Console.

    Permissions in the BMC Helix SSO Admin Console

    Depending on your role, you have the following permissions for accessing features in the BMC Helix SSO Admin Console:

    Feature in the BMC Helix SSO Admin Console

    		SaaS administratorTenant administratorReference

    BMC Helix SSO server configuration

    		SupportedNot supportedConfiguring the BMC Helix SSO server

    BMC Helix SSO server configuration import and export

    		SupportedNot supportedExporting and importing BMC Helix SSO server configuration
    Realms managementSupportedPartially supportedAdding and configuring realms
    User sessions managementSupportedPartially supported
    		Invalidating and configuring end user sessions
    Local users managementSupportedPartially supportedConfiguring Local authentication
    OAuth 2.0 clients managementSupportedNot supportedConfiguring OAuth 2.0
    LaunchPad applications managementSupportedNot supportedAdding applications to the Digital Service Management page
    Administrator users managementSupportedNot supportedSetting up BMC Helix SSO administrator accounts
    Tenant managementSupportedNot supportedActivating tenants
    The login and logout activities of all users in BMC Helix SSO are displayed in the BMC Helix SSO log files.

    How users can be created on the BMC Helix SSO server

    You can create administrator users who have access and perform tasks in the BMC Helix SSO Admin Console by one of the following methods:

    The default administrator user

    After the SaaS administrator logs in to the BMC Helix SSO server for the first time as the default administrator, the SaaS administrator can change the default password. For details about how to do this, see Setting up BMC Helix SSO administrator accounts.

    Internal administrator users on the BMC Helix SSO server

    SaaS administrators can create the following users in the BMC Helix SSO Admin Console from the Admin User tab.

    • In the SaaS tenant, create SaaS administrators.
    • In a customer tenant, create tenant administrators. 

    For information about how to create users, see Setting up BMC Helix SSO administrator accounts.

    External LDAP users with granted administrator privileges for BMC Helix SSO

    To distribute responsibility between BMC Helix SSO administrators, a SaaS administrator can grant administrator privileges to users from an external LDAP directory. External users can log in to the BMC Helix SSO Admin Console, and perform administrative tasks available to them.  

    To grant the SaaS administrator privileges to external users, in the SaaS tenant, a SaaS administrator must configure the LDAP authentication on the Server Configuration page in the BMC Helix SSO Admin Console.

    To grant the tenant administrator privileges to external users, in a customer tenant, a SaaS administrator must configure LDAP authentication on the Server Configuration page in the BMC Helix SSO Admin Console. For instructions on how to configure LDAP for external users, see Configuring authentication for BMC Helix SSO administrators.

    Important

     External users with administrator privileges in BMC Helix SSO follow the password policies enforced by LDAP. 

    © Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.