Configuring user roles and access groups

As a helix admin, you can manage roles and access groups in the Helix Capacity Optimization Console.

A role is a set of activities that a user can perform. A user can have one or more roles, and every role is assigned one or more activity. Each user can have different activities (access rights) associated with the user account. For example, an activity can be the ability to create a new model or analysis, or the ability to configure a domain. A single user might need to perform several activities. Therefore, all privileges can be aggregated into custom groups called roles.

You can enable access control to specific entities, such as domains, report groups, views, and view groups, by using access groups.

Managing roles

To manage and assign roles for user accounts, from the Helix Capacity Optimization Console, go to Administration > Users > Roles. The Roles page shows a summary table listing the currently defined user roles, their description, and the associated external names. From this page you can add, edit, or delete user roles. You can also use this page to generate an API key that allows you the programmatic access to the BMC Helix Capacity Optimization functionalities. For details, see Generating an API key for programmatic access.

Adding a role

On the Administration > Users > Roles page, click Add role, and do the following:

Specify a unique name and an optional description for the role.
Select one of the role assignments:
- Assign this role by default to all users on their login.
- Assign this role automatically to external users having external group names matching the list. In the External names box, specify the names of external users or user groups. For example, user groups created in the Helix Single Sign-On Server.
From the list of Available activities, select one or more activities to associate with the role, and then click >>.
- When you select the User accounts - Edit or User access groups - Edit activities, the User roles/access groups edit restrictions field is displayed. The options in this field enables you to toggle between allowing and restricting the creation of users based on roles and/or access groups as follows.
Click Save.

Click here to view the default activities

Activity	Allows you to...
Admin - Benchmarks	View the Benchmarks data in the Administration tab.
Admin - ETL tasks	Manage ETL Tasks in the ETL & System Tasks section in the Administration tab. Run ETLs
Admin - Reporting	Add, edit, and delete report templates and report groups.
Admin - System tasks	View System Tasks in the ETL & System Tasks section in the Administration tab.
Admin - Tasks - Edit	Add, edit, and delete System Tasks in the ETL & System Tasks section in the Administration tab.
Administration section - Edit	Edit the Data Warehouse and System sections in the Administration tab.
Calendar - Edit	View calendars Add and edit day classes for calendars
Capacity views section - edit	View all capacity views (out-of-the-box and custom views) Add and modify custom views.
Capacity views section - view	View all capacity views (out-of-the-box and custom views)
Chargeback section - edit	Manage the hierarchies, cost models, cost model templates, and cost objects.
Cloud Cost Control - Change status of recommendation	Edit the status of a recommendation in Cloud Cost Control.
Cloud Cost Control - edit	Manage the cloud cost control settings.
Cloud Cost Control - Execute recommendation	Run the recommendations in Cloud Cost Control.
Cloud Cost Control - View Consumer perspective	View only the following pages in the Cloud Cost Migration section of the Dashboard: Budget Business Services Cost Pools Servers Cost Optimization
Cloud Cost Control - View planner perspective	View all the pages in the Cloud Cost Control section of the Helix Capacity Optimization Dashboard.
Cloud Cost Control Budget - edit	Edit budgets in Cloud Cost Control.
Cloud Cost Control Budget notification - edit	Edit budget notifications in Cloud Cost Control.
Domains and entities - Edit	Add, edit, and delete domains, systems, and business drivers.
Domains and entities - View	View active systems and business drivers associated to one or more domains.
Edit/Create analysis templates	Create custom analysis templates. Edit and delete existing analysis templates.
Enable a user to instantiate global reports	Create global reports for auditing or self-monitoring of the product, or the technology reports for all the domains of Helix Capacity Optimization. For details, see Out-of-the-box report templates.
Enable access to Time forecasting model API	View the Time forecasting model API. For details, see Time forecast model API.
Event Manager pages - Edit	Add, edit, and delete event rules in the Event Manager section of Administration tab.
Event Manager pages - View	View the event rules in the Event Manager section of Administration tab.
General Manager - Edit	Add, edit, and delete Gateway Servers and Agent Lists in the Gateway Manager section of the Administration tab.
General Manager - View	View the Gateway Servers, Agent Lists, and Manager runs.
Investigate section - edit	Add and modify Investigate studies and study groups. View Investigate studies and study groups.
Investigate section - view	View Investigate studies and study groups.
Manage entities outside the ACL	Access all the systems and business driver nodes for inactive, dismissed, or newly discovered entities.
Optimizer - Edit	Create, edit, or delete thresholds. View metrics and indicators for a threshold. Create, edit, or delete optimizer rules and run alerts. View alert logs in the Administration tab.
Optimizer - View	View alert logs in the Administration tab. View metrics and indicators for a threshold.
Read access to Backend Control API	Access and view the Backend Control API.
Read access to Capacity views API	Access and view the Capacity views API.
Read access to Chargeback API	Access and view the Chargeback API.
Read access to Data API	Access and view the Data API.
Read access to Investigate API	Access and view the Investigate API.
Read access to Reservation API	Access and view the Reservation API.
Read access to Search API	Access and view the Search API.
Reports - Publish	Publish or unpublish reports.
Reports section - View	View the reports section in the console.
Reservations section - Edit	Create, edit, or delete a reservation.
Reservations section - View	View the existing reservations.
Tags in Capacity views section - edit	Add tags to resources. Modify and delete tags that are already added to resources.
Tags in Capacity views section - view	View tags on resources.
User access groups - Edit	Manage user access groups from the Administration tab.
User accounts - Edit	Manage user accounts from the Administration tab.
User roles - Edit	Manage user roles from the Administration tab.
Virtual Planning section	Add, edit, and delete studies and study profiles.
Workspace section - Analyses - Edit	Create and edit analysis in the Workspace tab.
Workspace section - Analyses - View	View analysis in the Works folder.
Workspace section - Global filter- Edit	Add, delete, copy, or move global filters in the Workspace tab.
Workspace section - Models - Edit	Add, edit, and delete models.
Workspace section - Models- View	View models saved in the Works folder.
Workspace section - Reports - Edit	Add, edit, and delete reports.
Workspace section - Reports - View	View reports saved in the Works folder.
Write access to Backend Control API	Edit the Backend Control API. For details, see Backend Control API.
Write access to Capacity views API	Edit the Capacity views API.
Write access to Chargeback API	Edit the Chargeback API. For details, see Chargeback API.
Write access to Data API	Edit the Data API. For details, see Data API.
Write access to Investigate API	Edit the Investigate API.
Write access to Reservation API	Edit the Reservation API. For details, see Reservation API.
Write access to Search API	Edit the Search API. For details, see Search API.

Editing a role

On the Administration > Users > Roles page, do one of the following:

Click the role name that you want to edit, modify the required properties and click Save.
Click edit this role corresponding to the role you want to edit, modify the required properties and click Save.

Deleting a role

On the Administration > Users > Roles page, do one of the following:

Click the role name that you want to delete. The role is deleted.
Click delete this role corresponding to the role you want to delete. Click Proceed to delete the selected role.

Example scenario: Assign read-only access to Chargeback API

Alan is an administrator of BMC Helix Capacity Optimization. He wants to grant read-only permission to a user group for accessing the Chargeback API.

Alan performs the following steps:

Create a user group and add users.
1. Log in to the Helix Single Sign-On Server.
2. Create a user group (for example, Chargeback_Consumers) and add the required users.
For more information about creating users and user groups, see Setting up users and user groups.
Create and configure a role.
1. Log in to the Helix Capacity Optimization Console.
2. Click Administration > USERS > Roles > Add role.
3. Specify a role name and a description.
4. Assign this role automatically to external users having external group names matching the list. In the External names field, specify the group name you created in the Helix Single Sign-On Server to associate with the role. For example, Chargeback_Consumers
5. Under Activities, select Read access to Chargeback API from the Available list, and click >> >> to move it to the Selected list.
6. Save the changes.

The users who belong to the Chargeback_Consumers group can now access the Chargeback API to retrieve the information. To provide similar read-only access to a new user, Alan can create the user and add it to the Chargeback_Consumers group.

Managing access groups

Use the Access groups page in the Helix Capacity Optimization Console to add or delete access groups, view a summary of the currently defined access groups, and to assign access groups to user accounts. From this page, you can configure an access group for domains, report groups, task groups, or cost pools.

To configure an access group for views or view groups, use the Capacity Views page in the Helix Capacity Optimization Dashboard. For more information, see Editing and deleting views.

Adding a new access group

On the Administration > Users > Access groups page, click Add access group, and do the following:

Specify a unique name and an optional description for the access group.
For access group assignment, select one of the following:
- Assign this access group by default to all users on their login.
- Assign this access group automatically to external users having external group names matching the list. In the External names box, specify the names of external users or user groups to associate with this access group, separated by a semi-colon (";"). For instance, if you specify BMC external users as the external name for an access group, all external users that have external name mapping to BMC external users will be automatically assigned the corresponding access group on logging in to BMC Helix Capacity Optimization.
Click Save.

Configuring an access group

To configure an access group, follow these steps:

Click the access group name in the Access groups table.
On the Visible Entities table, click Edit, and select Edit domains, Edit report groups, Edit task groups, or Edit cost pools.
The Edit cost pools option is available only if Cloud Cost Control is installed and at least one cost pool is created.
Depending on the element selection in the previous step, select the specific element values.
(Only for report groups) Select the Recurse on contained report groups check box if you want to import all the contained domains or report groups respectively.
Click Save.

Editing or deleting an access group

When editing an access group, you can delete single items or groups. Deleting a group also removes all its descendants. Similarly, if you create a sub-domain under one of the domains allowed by an access group, all members of the group will be able to access it.

Click an access group to edit or delete from the Access groups table. Alternately, you can also click the buttons to perform these actions directly.
The detail page for the selected access group is displayed in the working area, listing all activities associated with the account.
Click Edit or Delete.
For Edit, the Edit access group page is displayed. Make changes, and click Save.
Clicking Delete will present a confirmation and information (only if you click the buttons directly) box. Click Proceed to delete the selected access group.