This documentation supports the 23.3 version of BMC Helix ITSM.

To view an earlier version, select the version from the Product version menu.

Access control for ticket data

BMC Helix ITSM provides a rich set of features that protect your data from unauthorized access. Keeping the information secure can be a major task in the client or server environments. You want to rigorously control who can access the data, yet you do not want the security process to be so complex that it intrudes on your user community or is difficult for you to implement or maintain. BMC Helix ITSM enables you to meet these seemingly opposing security goals.

 Data access control

ConceptDescriptionReference topic

A user is an individual to whom you give permission to access the AR System and BMC Helix ITSM applications. Users can be members of multiple groups or no group at all. Users in BMC Helix ITSM range from an administrator who maintains the entire system, to employees who submit requests or view data. You can manage users inAR System by using the User form and in BMC Helix ITSM by using the CTM:People form.

User and group access overview Open link in the AR System documentation

Roles and permissions


You can assign users to groups according to their need to access information.

For example, you might create a group called Help Desk whose members are permitted to view and change only certain fields on a Help Desk form. You might have another group called IT Data Access whose members are permitted to view and change all the fields on the Help Desk form.

User and group access overview Open link

in the AR System documentation

Form level permissionsYou can configure group access to forms so that a particular form is visible to users in specific groups. For any form, an administrator can determine which groups need to have access to requests. The administrator can grant access based on which requests are relevant to a group.

Access control overview Open link

in the AR System documentation

Field level permissions

Every field on a form has access control. You can set field level permissions when you define the field properties in Developer Studio. Each field can have a list of groups that can access the field and the data entered into it.

Access control overview Open link in the AR System documentation

User permissions

You can assign user permissions to control how people access and interact with BMC Helix ITSM. You must assign user permissions on the People form. There are different aspects to the user permissions, which together make up the permission model, which consists of Permission groups and Support groups.

Roles and permissions

For BMC Helix ITSM applications, access permissions are based on roles. Like groups, roles have permissions to access forms, fields, ticket data, and so on. However, unlike groups, roles are defined for an application and are then associated with groups on the server where the application is deployed.

You can assign users to groups, and then associate the groups with roles.

Mapping roles to permission groups
Permission groups

Permission groups are used to grant access to users for applications, modules, and sub-components in BMC Helix ITSM.

Permission groups and application access
Support groups

Support groups play an important role in the BMC Helix ITSM permission model by controlling access to data. A user can modify only those records that are assigned to the support groups that the user is a member of.

For example, if a user is assigned the role of a service desk analyst and is a member of the Hardware support group, then the user can modify only incident requests that are assigned to the Hardware support group. The user can view other incident requests, but cannot modify them.

  • Creating support groups Open link
  • Configuring support groups Open link
  • Updating people information
Row-level security

Each ticket or a record is referred to as a row in BMC Helix ITSM. The ticket data access is granted to individuals (for example, submitter, on behalf of, and assignee) and support groups that are associated with a ticket. The Row-level security feature restricts the ticket data access to only those users who require it. 

Access control with implicit groups: Row-level security
Hierarchical groups

You can configure a hierarchical relationship between groups to allow the parent group to inherit the permissions of the child group.

Inheriting permissions by using hierarchical groups

For BMC Helix ITSM

Functional roles

Functional roles provide extended access to an application, module, and sub-component functions.

For example, the support staff that are assigned the Broadcast Submitter functional role can create and modify broadcast messages.

Functional roles and extended application access

In a multitenant environment, the ticket data is accessible to users based on the following options:

  • UnrestrictedUsers with the BMC Helix ITSM Unrestricted Access role have access to all ticket data.

  • Row-levelIn the Applications Permissions Model setting, you can choose to provide the ticket data access at the support group level or support group and company level.

Data access in a multitenant environment

People form

Since the people information is stored on the CTM:People form, you must configure people records by opening the CTM:People form from the Application Administration Console.

The information that you add or modify in the People form is automatically updated in the AR System User form, but the information updated in the User form is not updated in the People form.

Updating people information

Visibility groups

(Knowledge Management)

BMC Helix ITSM: Knowledge Management uses visibility groups to restrict access to knowledge base content. You can specify the audience for your article by assigning one or more visibility groups to the article.

You can create visibility groups for a specific company or for the Global company. A knowledge article is visible to users according to this configuration.

How knowledge articles are found Open link

in theKnowledge Management documentation

For ITSM Insights and BMC Helix Portal

Sync BMC Helix ITSM users with BMC Helix Portal

For the users to use their existing credentials to authenticate in to BMC Helix Portal, the BMC SaaS Operations team needs to perform some configurations to sync the BMC Helix ITSM users into BMC Helix Portal. For more information, contact BMC Customer Support.

User identities in BMC Helix Portal Open link

Types of data in BMC Helix ITSM

  • Configuration data refers to the objects that the user has access to. Configuration data access is set at the company level. This can be managed through two configurations, which are Profiles (User roles) and Permission sets (Groups).
  • Transactional data refers to the permissions at the ticket or record level in BMC Helix ITSM. Each ticket is treated as a row. Access to this data is determined by various aspects of data access model such as permission groups, Row-level security, and hierarchical groups.

Salient features of BMC Helix ITSM data access model

The following table lists the details of the data access model:

Feature / capability


Separating permissions for configuration and transactional (ticket) data access 

Configuration data is managed at the company level. However, the ticket data access is managed based on individuals (for example, submitter, on behalf of, and assignee) and the support groups associated with a ticket. This restricts access to only those users who are directly connected to a ticket or to a support group associated with a ticket. The users who are not connected to a ticket cannot access it.

For more information, see Access control with implicit groups: Row-level security.

Hierarchical group support

By using the hierarchical group support feature, a parent group can access its own ticket data and the ticket data of its child groups. It enables you to simplify the configuration and maintenance of controlling the data access.

You can configure the hierarchy of groups across companies or within the support groups of a company. For more information, see hierarchical groups.

Assignment menus are tied to the company fields in addition to permissions

Assignment menus display support groups relevant to the location and contact companies mentioned on a ticket.

The ability to configure the support groups associated with a company enables secured manual assignment of support groups while creating or modifying a ticket.

For more information, see Setting up assignment routing to support groups Open link .

To implement row-level access in BMC Helix ITSM applications

Every form defined in AR System contains a set of core fields. The Request ID core field has a unique field ID of 1. AR System uses the permissions defined in the Request ID (Field ID 1) field to determine who should have access to a ticket.

The following permissions are defined on most BMC Helix ITSM forms. Individuals or groups defined under these permissions can access a ticket. For more information, see Access control with implicit groups: Row-level security and Inheriting permissions by using hierarchical groups.

An example of Row-level security

Calbro Services has a number of support groups for various services and functions. In order to provide access to ticket types that are relevant to each of these groups, as an administrator, you can use the Row-level security feature of BMC Helix ITSM as explained in this example.

Users and their profiles that are used in the example:

  • Business usersBritney, Harry, Peter, and Ann
  • Service Desk agentsFrancie, Allen, and Ronald
  • Associated support groupsIT Operations, IT Data Access, IT Support, Backoffice Support, and Help Desk
Service Desk agentSupport group
FrancieHelp Desk

Help Desk

Backoffice support

RonaldIT Data Access (parent of Help Desk and Backoffice Support)
JulieIT Operations (parent of IT Data Access)

Depending on the Row-level security, the following users can access the records that they are associated with:

Request IDCustomerContactAssigned support groupParent of support groupOwner groupParent of Owner groupWho all can access this record


BritneyIanHelp DeskIT Data AccessIT SupportIT Operations
  • Britney
  • Ian
  • Francie
  • Allen
  • Ronald
  • Julie
INC000000000185HarryJohnBackoffice SupportIT Data AccessIT SupportIT Operations
  • Harry
  • John
  • Allen
  • Ronald
  • Julie
INC000000000187PeterJamesHelp DeskIT Data AccessIT SupportIT Operations
  • Peter
  • James
  • Francie
  • Allen
  • Ronald
  • Julie
INC000000000204BritneyIanIT Data AccessIT OperationsIT SupportIT Operations
  • Britney
  • Ian
  • Ronald
  • Julie
Was this page helpful? Yes No Submitting... Thank you