BMC Helix ITSM Administrator Permissions policy
This topic describes the access permissions available to BMC Helix ITSM service subscribers for supported administration levels in their environments.
Summary of administration levels
The following list describes the administration levels that the BMC Helix ITSM solution supports:
- Application Data Administration — Provided through the application user interfaces, an administrator can assign user permissions to users who perform application data administration. An example of application data administration is setting up support groups or extending BMC Atrium CMDB to add a new CI class.
- Platform Administration — Typically implemented through user interfaces or implemented through mechanisms such as configuration files, platform configurations are used to tune and manage the overall service. Examples of platform level configuration are configuring list and fast threads in the Remedy AR System platform, and modifying the ar.cfg file.
- System Administration — This involves management of the supporting software, hardware, and infrastructure that provides the service. Examples of system administration are tuning the operating system, changing hardware parameters, and allocating indexing on databases.
Customer environments and administration access
Customers can have different access levels based on the environments they are working in. Customers will have multiple environments, namely, production, quality assurance, development, and, in some cases, additional environments. Typically, access to the production and QA environments is tightly controlled to ensure the integrity of the service. Customers have more latitude in the development environments to facilitate staging changes to their services.
Administration access policy for customers
This section describes the administration access policy for customers while considering administration levels and customer environments. The following topics are addressed:
- Application data administration
- Platform administration
- System administration
For the purpose of the following discussion, an additional environment is treated the same as a development environment.
Application data administration
Customers have full access to configure applications by using the provided application user interfaces in any environment. For example, a customer can choose to create a user or an incident template without being granted any additional permissions other than what is required for a given admin configuration in BMC Helix ITSM. For more information about permissions in BMC Helix ITSM, see .
In some cases, a customer might choose to implement a data configuration in the development environment and leverage the change control process to promote across environments instead of editing directly in the production environment. For example, a complex Service Request Definition (SRD) could be created and tested in development to ensure complete and thorough implementation in a non-production environment.
Customers are not provided with access to platform administration functions in any environment other than development. As an alternative, review the Direct access alternatives section below.
Customers are not provided with access to system administration functions in any environment, unless documented otherwise.
Direct access alternatives
This section describes common use cases that may require local access to systems. BMC has standardized on cloud-hosted solutions that no longer permit direct or local access. BMC is providing guidance on how to accomplish the use case without direct system-level access.
|Use case summary
|Service restarts in non-production environments
This request is used for restarting an AR of Mid Tier service to implement a configuration change to the application environment.
If your systems have been migrated to the new BMC Helix platform that uses containerization, this option is not available or necessary.
You may Create New Case in the portal to have BMC SaaS Operations execute a service restart as needed.
Enable or disable the email engine in the development environment
|This request is often made for updating settings to the email engine. No restart is required for this use case, and no access to the local system is required.
For development environments, you have administrator permissions. To update email settings, have your administrator navigate to AR System Administration > AR System Administration Console > System > Email > Email Server Configuration. Make the appropriate changes as needed. Changes are applied and saved immediately.
See instructions via a video at Centralized Configuration for Email Engine.
|Mid Tier Cache refresh in the production and/or non-production environment
|This option is for clearing objects that have changed on the server after the last cache clear event.
For production environments, you may Create New Case, under Case Management in the portal to have BMC SaaS Operations execute a Mid Tier cache flush as needed.
For non-production environments, please see instructions from this BMC Community Knowledge Article (including a step-by-step video): AR System Mid Tier - How to flush the AR System Mid Tier Cache
Temporary administrator access
On a case-by-case basic, BMC may grant temporary administrator access to one of your users in a QA or production environment. Access is usually granted only for onboarding project work. To request temporary access, Create New Case in . You must provide the following information in your request:
- Login ID of who needs the access
- Use case for needing administrator permissions
- Environment in which administrator access is needed
- Time period where administrator access is needed
In order to prevent inadvertent changes made to your QA or production environment, BMC reserves the right to deny such access request. Some changes can have a significant impact on system performance and stability and as a general rule of thumb, this level of access is not required or granted. In the event temporary administrator access is approved, it will be granted for no more than 72 hours.
Users may not use temporary admin access to assign the Administrator permission. The Administrator permission is by default not allowed in any environment other than development. Users should make all customizations in the development environment, and then promote them forward using the BMC Helix Change Management process or the BMC Helix IT Service Management Deployment Application utility. Customers are encouraged to use self-service to deploy applications on their own, and requesting this temporary admin access is required for the promotion of changes from development to QA or QA to production.
BMC quality of service commitment
The access policy is defined to ensure that BMC can deliver the best service possible. The production environment has the greatest impact on the customer’s consumers: users and end users. This policy will help BMC and consumers of the service to experience the following:
- Higher quality of service (QoS)
BMC is responsible for the delivery of the service per our contractual commitments. As such, customers are prevented from modifying the system in any way that could cause instability and unreliability.
- Greater consistency
A common approach to the access policy for customers helps to simplify and optimize operations, leading to proactive and detailed customer communication.
Following common industry practices, BMC ensures that changes are introduced to the production services by using a well-defined and controlled request for change process that progresses through various stages (environments) to ensure quality of service.