You can control access to BMC Helix Portal integrated products and common services by managing user identities and user access.
User identity types
Based on the type of access, users in BMC Helix Portal can be local or external.
The following image describes the types of user access:
The following table provides information about the different types of user access:
|Type of access||When is it useful?||More information|
Local access for users in BMC Helix Portal
You want to create and manage users in BMC Helix Portal via the console or the API.
|Local user access|
|External access for users managed by a supported identity provider (IdP)|
You already manage users in your identity and authorization system that is supported by Helix Single Sign-On (for example, Okta and Active Directory) and these users need access to the BMC Helix Portal integrated products and common services.
Note: External IdP user access is only supported for licensed users.
|External IdP user access|
Cross-product access for users synced from BMC Helix ITSM
You want to sync users and associated user groups from BMC Helix ITSM into BMC Helix Portal so that the synced users can authenticate into BMC Helix Portal without the need for separate credentials and can use the required integrated products and common services.
This type of access is considered to be external because BMC Helix Portal shares access with users created and managed externally in BMC Helix ITSM.
|Cross-product user access|
Local user access
You can create and manage users locally on BMC Helix Portal. Helix Single Sign-On is used for authenticating users into BMC Helix Portal.
Users can be of two types:
- Users that require console access
- API users that require programmatic access
For more information, see User access.
Local users can perform the following operations if they have appropriate permissions:
- Create, view, and delete other local users, and update their own details.
- Create, view, and delete external IdP users.
- View synced users.
|External IdP users|
External IdP user access
Helix Single Sign-On is used as an authentication mechanism for BMC Helix Portal. If you already manage user identities by using an external identity provider (IdP), you can import such users and groups into BMC Helix Portal. Helix Single Sign-On supports IdPs that are compatible with various authentication mechanisms. For more information, see Configuring authentication .
External IdP users can authenticate into BMC Helix Portal by using their existing credentials. Thus, you can manage users and groups outside of BMC Helix Portal and give these users and groups permissions to use the BMC Helix Portal integrated products and common services.
To enable IdP users to access BMC Helix Portal, you need to establish a trust relationship between Helix Single Sign-On and your IdP. For this, you need to request the BMC SaaS Operations team to configure your IdP. For more information, contact BMC Support.
Based on the volume of users and groups to sync, you can use one of the following approaches for the import and sync:
- Large volume: (Recommended) Sync users and groups by running the LDAP sync agent.
- Small volume: Import and sync users and groups at logon time.
The imported or synced users and groups are created with the type External. After the import, these users need to be provided appropriate permissions by assigning them to the appropriate roles. However, we recommend that you assign the users to groups and then assign the groups to roles. Then, the users will inherit the permissions from the roles.
After you move from local to external IdP authentication, all the local users (including the tenant administrator) cannot access the BMC Helix Portal console.
Therefore, before importing, as a tenant administrator, do one of the following actions based on whether you possess the login credentials of an IdP admin user:
Create an external user with the same login ID as the IdP admin user. Then, associate the external user(s) to a role with all permissions or at a minimum all permissions to the Identity Management Service application or service.
After the import, the IdP admin user can log on to BMC Helix Portal and associate the imported users with the relevant roles containing appropriate permissions.
Create a default role and assign appropriate permissions to the role. At a minimum, assign all permissions to the Identity Management Service application or service.
Some integrated products might require an additional step for providing permissions to users. For example, BMC Helix Operations Management requires you to assign user groups to authorization profiles in BMC Helix Operations Management.
External IdP users can perform the following operations if they have appropriate permissions:
- View and delete local users.
- Create, view, and delete other external IdP users, and they can update their own details.
- View other synced users.
|External IdP users|
Cross-product user access
BMC Helix Portal can share access with BMC Helix ITSM users so that the BMC Helix ITSM users can use their existing credentials to authenticate into BMC Helix Portal. To share access, the BMC SaaS Operations team needs to perform some configurations and sync the BMC Helix ITSM users into BMC Helix Portal. All the licensed users (fixed, floating, and bundled users) and the relevant logical user groups are synced. For more information, contact BMC Support.
After the configuration:
- The synced users are displayed on the User access > Users page.
- The synced user groups associated with these users are displayed on the User access > User groups page.
- The user groups are automatically mapped with the correct roles containing appropriate permissions in BMC Helix Portal.
- If a read-only user (with the license type, Read and Restricted Read) logs on to BMC Helix Portal:
- The read-only user is dynamically synced and displayed on the User access > Users page.
- The user profile information, logical groups, and permissions associated with the user are inherited and imported into BMC Helix Portal and the groups and permissions are mapped to the read-only user.
Synced users cannot be created, updated, or deleted from the BMC Helix Portal console.
Attributes, such as the login ID of external users cannot be modified in BMC Helix Portal. Any changes to the external user details must be done in BMC Helix ITSM, which will be automatically synced in BMC Helix Portal.
For example, if the same login ID exists in BMC Helix ITSM and BMC Helix Portal, rename the login ID in BMC Helix ITSM before syncing the users.
These users can perform the following operations if they have appropriate permissions:
- View and delete other local users.
- Create, view, and delete other external IdP users.
- View other synced users.
|External IdP users|
Log in or register to comment.