Roles and permissions

You can use roles and permissions to configure role-based access control (RBAC) for all the integrated products from a central place. You do not need to manage authorization and RBAC for each of the integrated products separately.

You can configure roles to delegate access permissions to users and groups of users.  

Out-of-the box roles and permissions

You can view all the out-of-the-box roles inherited from the integrated products on the Roles and permissions page of the BMC Helix Portal consoleThe tenant administrator can set up additional roles and assign appropriate permissions to them.

All the permissions available for assigning to a role are inherited from the individual integrated products. You cannot create new permissions. You can only assign existing permissions while creating or editing roles. You can assign permissions for viewing (also known as listing), creating, modifying, deleting, or managing objects. You can assign one or more permissions to roles as needed. 

As a tenant administrator, you can control access to various features available with the integrated products and common services at a granular level.

The following image displays a few out-of-the-box permissions:

  • Application or Service indicates the integrated products or common services.
  • Resource indicates the objects to which you want to provide permissions.
  • Permission indicates the level of access that you want to provide. 

For more information about the list of permissions, see List of permissions.

Access permissions for users and user groups

As a tenant administrator, you can manage authorization for individual users, irrespective of their type, by granting them appropriate access permissions. You can grant these permissions while creating a role and assigning individual users and user groups to the role. For effectively managing role-based access control (RBAC), we recommend that you add users to appropriate groups. The tenant administrator must review and update the assignment of users or groups to various roles based on the unique requirement of the customer. 

You can limit access permissions for users at a granular level. For example, you can grant permissions to only specific BMC products and common services. You can go a step further and grant permissions to only specific objects or features related to the products and services. You can even control the level of access that you want to grant for those objects. For example, you can restrict access to only viewing or only creating the objects. You can assign these granular-level permissions to a user via a role. Granular permissions enable tenant administrators to grant appropriate access to users across products and common services.

The following image summarizes the process of assigning permissions:

Role types

Roles can be of the following types. You can assign an appropriate role type to provide permissions for accessing and using the integrated products and common services. 

  • Role: Can be configured to provide permissions to individual users or user groups.
  • Composite role: Can be configured to provide multiple roles to individual users or user groups.
    Composite roles contain other roles. You cannot assign permissions to composite roles directly. Composite roles inherit the permissions of the associated roles.  

In addition, you can enable a role to become a default role to provide access permissions to users synced from an external identity provider (IdP), These users are authenticated to dynamically log in to the system.

Out-of-the-box roles in BMC Helix Portal

  • Administrator - Has all permissions for all the applications.
  • RBACadmin - Has all permissions for user management.

Where to go from here

To create, edit, or delete a role, see Setting up roles and permissions.

To understand user authentication and authorization, see user identities and user access.

Was this page helpful? Yes No Submitting... Thank you


  1. Andreas Petraschke

    If BMC recommends to add users to groups. Why does Helix Portal not ship with groups for all roles?

    Jan 30, 2023 11:43
    1. Bharati Poddar


      Thanks for your feedback! 

      A role is a collection of permissions and you can directly assign roles to users. Depending on each unique requirement, administrators can create user groups and assign roles. The statement in the topic is updated for clarity. Please let us know if you have any more queries.



      Feb 28, 2023 03:52