User access

A user refers to an entity or person that can be authenticated into BMC Helix Portal. Each user is given a unique identity within a tenant. 

Users can be of different types based on how they access BMC Helix Portal:

  • Users that require console access: Tenant administrators and users that are manually created by the tenant administrator require credentials to access the BMC Helix Portal console. External users imported from a supported identity provider (IdP) or synced from another BMC product can access BMC Helix Portal by using their existing credentials. For more information, see User identities
    A user can access BMC Helix Portal by using their credentials both via the UI and programmatically. However, we recommend that you use the API user credentials for programmatic access or to run APIs. 
  • API users that require programmatic access: API users have the API key, which includes the access key (similar to a user name) and the secret key (similar to a password). The API key can be used for programmatic access to BMC Helix Portal. This key can be generated by the tenant administrator (at a tenant level) or by an individual user (at a user level).

The following image describes the different types of users based on the different types of access:

Console access 

Tenant administrators receive credentials to access the  BMC Helix Portal console by the BMC SaaS Operations team. They have administrator privileges and have complete access to all the common services and integrated products. Tenant administrators can perform the following actions to manage user authorization:

  • Create all other users including API users.
  • Create groups of users and provide access permissions to individuals users and groups via roles.
  • Create or delete other administrators. 
    However, tenant administrators cannot change the password for any user in the system. Individual users can change their own passwords by clicking the Forgot Password link on the logon screen. 

    As an IdP user, can I change the password?

    No. As an IdP user, you cannot change the password from the logon screen. The Forgot Password link is available on the logon screen for local users only. Local users include users created manually in BMC Helix Portal and local users synced for cross-product access.

For more information about permissions, see User identities and Roles and permissions.

Programmatic access

API users can programmatically authenticate into BMC Helix Portal with the access key (similar to a user name) and the secret key (similar to a password). The access key and the secret key are generated as a set. 

These keys can be generated at a tenant level or at a user level:

  • Tenant level: Generated by a tenant administrator at the time of creating an API user. The API user contains the API key. These keys are created from the API Users tab section under User access > Users
    The tenant-level API key can be used by any user with the correct permissions under that tenant. A tenant administrator can grant appropriate access permissions to the API users by associating them with appropriate roles or groups that are already associated with the appropriate roles.

  • User level: Generated by an individual user at the time of creating the user-level API key. These keys are created from the user profile section.  
    The user-level key can only be used by the user who generated the API key. Because the API key applies to an individual user only, it inherits the individual user's access permissions.

The configuration details required for creating the tenant-level keys and the user-level keys is the same. 

Is there a difference between the tenant-level and user-level keys?

No, there is no difference.

The API key refers to the access key and the secret key generated as a set. The API user contains the API key. The API user is also a logical representation of a robotic user who needs programmatic access. 

While API users can be assigned access permissions via roles, the user-level API keys inherit permissions from the individual users.

Where to go from here

To create or delete a user that requires console access, see Setting up users for console access.

To create, edit, or delete an API user, see Setting up API users for programmatic access

Was this page helpful? Yes No Submitting... Thank you