Setting up access control

As an administrator, set up users and user groups in BMC Helix Portal  and set up authorization profiles in BMC Helix Operations Management  to manage access control.

Important: Required permissions for the custom restricted-user role

  • For the out-of-the-box Operator role, all the required permissions are already granted. However, if you have created a custom restricted-user role, make sure that you assign the monitor.user_preferences.manage permission to the role. Without this permission, you cannot access BMC Helix Operations Management .
  • For a custom restricted-user role, assign the monitor.eexternal_entity_types.view permission so that the user can view external entities while adding or editing alarm policies.
Related topic

Setting up role-based access control in BMC Helix Portal Open link

Authorization profiles

Use  BMC Helix Operations Management to manage authorization profiles so that the administrators and non-administrator users can successfully perform all the activities within the defined organizational boundaries while using the console.  BMC Helix Operations Management  uses  BMC Helix SSO  to authenticate users. With authorization profiles, you can implement role-based and data-level access control.

Authorization profiles are a grouping of the following types of information that is required to provide a user-level permissions and data-level permissions:

ItemType of accessBenefit
User groupsRole-based access controlAllows you to control permissions to the product features (based on user role) by assigning user groups to the authorization profile.
ObjectsData-level access control

Allows you to control access to data at multiple levels by assigning the following objects to the authorization profile:

  • PATROL solutions: Enables you to control access to PATROL solutions added while you are configuring monitor policies.
  • PATROL Agent ACLs: Enables you to control access to the list of PATROL agents grouped while configuring PATROL Agent ACLs.
  • Devices: Enables you to control access to the list of devices from which event data is collected.
  • Groups: Enables you to control access to groups of entities (or resources) such as devices and events by configuring groups.
Authorization profiles associate users who belong to one or more user groups with specific objects. By default, a user who is a member of the Administrators user group can create, edit, and delete authorization profiles. 

Authorization profiles comprise user groups and objects, which you specify or select when creating or editing the profile.  You cannot create or modify the required components when creating or modifying an authorization profile. The following diagram and table describe the required components and show their relationship to an authorization profile. 


User groups

A named collection of users. You can associate multiple user groups within an authorization profile. You can also associate a user group to more than one authorization profile.

If an authorization profile contains only one user group and if that user group is deleted in BMC Helix SSO , actions on the authorization profile fail. You have to edit the authorization profile to add a different user group or delete the authorization profile.


Whenever you modify the user groups from BMC Helix SSO , you must edit the authorization profile and re-associate the modified user groups. If not updated, it will result in an authentication failure of all the users who are associated with the modified user groups.


(Optional) Administrators can choose from a list of objects present in BMC Helix Operations Management and then associate the selected objects with the authorization profile:

You can create or configure the authorization profile components in any order, but you cannot create an authorization profile without them.

The following persona-based authorization profiles are available by default:

  • Administrator
  • Operator


For custom user roles, you can assign view and manage permissions for event and blackout policies.

For instructions on creating authorization profiles, see Configuring authorization profiles.

Users and user groups

From  BMC Helix Operations Management , you cannot view, modify, or delete users and user groups. You must log into  BMC Helix Portal  as a tenant administrator and perform the changes.

To access  BMC Helix Portal , click the link in your welcome email from BMC. 

In  BMC Helix Portal , you need to assign user groups to appropriate roles to delegate access permissions to users.


To access  BMC Helix Operations Management , the user must belong to at least one user group.
The user group must be associated with at least one authorization profile.

Was this page helpful? Yes No Submitting... Thank you