Setting up access control
As an administrator, set up users and user groups in BMC Helix Portal and set up authorization profiles in BMC Helix Operations Management to manage access control.
Important: Required permissions for the custom restricted-user role
- For the out-of-the-box Operator role, all the required permissions are already granted. However, if you have created a custom restricted-user role, make sure that you assign the monitor.user_preferences.manage permission to the role. Without this permission, you cannot access BMC Helix Operations Management .
- For a custom restricted-user role, assign the monitor.eexternal_entity_types.view permission so that the user can view external entities while adding or editing alarm policies.
Use BMC Helix Operations Management to manage authorization profiles so that the administrators and non-administrator users can successfully perform all the activities within the defined organizational boundaries while using the console. BMC Helix Operations Management uses BMC Helix SSO to authenticate users. With authorization profiles, you can implement role-based and data-level access control.
Authorization profiles are a grouping of the following types of information that is required to provide a user-level permissions and data-level permissions:
|Type of access
|Role-based access control
|Allows you to control permissions to the product features (based on user role) by assigning user groups to the authorization profile.
|Data-level access control
Allows you to control access to data at multiple levels by assigning the following objects to the authorization profile:
Authorization profiles comprise user groups and objects, which you specify or select when creating or editing the profile. You cannot create or modify the required components when creating or modifying an authorization profile. The following diagram and table describe the required components and show their relationship to an authorization profile.
A named collection of users. You can associate multiple user groups within an authorization profile. You can also associate a user group to more than one authorization profile.
If an authorization profile contains only one user group and if that user group is deleted in BMC Helix SSO , actions on the authorization profile fail. You have to edit the authorization profile to add a different user group or delete the authorization profile.
Whenever you modify the user groups from BMC Helix SSO , you must edit the authorization profile and re-associate the modified user groups. If not updated, it will result in an authentication failure of all the users who are associated with the modified user groups.
(Optional) Administrators can choose from a list of objects present in BMC Helix Operations Management and then associate the selected objects with the authorization profile:
You can create or configure the authorization profile components in any order, but you cannot create an authorization profile without them.
The following persona-based authorization profiles are available by default:
For custom user roles, you can assign view and manage permissions for event and blackout policies.
For instructions on creating authorization profiles, see Configuring authorization profiles.
Users and user groups
From BMC Helix Operations Management , you cannot view, modify, or delete users and user groups. You must log into BMC Helix Portal as a tenant administrator and perform the changes.
To access BMC Helix Portal , click the link in your welcome email from BMC.
In BMC Helix Portal , you need to assign user groups to appropriate roles to delegate access permissions to users.
BMC Helix Operations Management
, the user must belong to at least one user group.
The user group must be associated with at least one authorization profile.