Managing local users and passwords

As a BMC Helix Single Sign-On administrator, you can create users stored locally on the BMC Helix Single Sign-On server for any realm with Local authentication type. Local users can access applications belonging to their realm. You can also add local groups, and then add users to these groups. Groups represent roles in your organization and can be used to control access to applications for which the single sign-on experience is enabled. For the difference between user, end user, and local user, see Glossary.

Related topics

Configuring Local authentication

Password change mechanisms

Creating and managing local users in the BMC Helix SSO Admin Console

If you have a realm configured for Local authentication on the BMC Helix SSO, then you should perform the following tasks in the BMC Helix SSO Admin Console:

Create local users for a realm.
(Optional) Create groups needed by your organization, and then add users to the appropriate groups.

Before you begin

Configure a realm for Local authentication.

To add a local user

Log in to the BMC Helix SSO Admin Console.
Select Local User > Users.
From the Realm list, select a realm.
Important

To authenticate a user in all realms available on your BMC Helix SSO server, add it to the default _empty_ realm. This is a technical realm, and it is not shown on the Realms page.
Users added to the _empty_ realm can access applications from any realm available on the BMC Helix SSO server.

Click Add User, and complete the following fields:

Field	Description
Login Name	Enter the user's login name that must correspond to the requirements. Note: You cannot modify the login name after it is created.
User Name	Enter the user's full name.
Password	Enter the user's password. Password must be different from login and email, be between 8 and 128 characters, contain uppercase letters, lowercase letters, digits, and special characters. Do not use space as the first or the last character of the password. Spaces are allowed between the first and the last character.
Confirm Password	Reenter the user's password.
Description (Optional)	Provide a description of the user.
Enabled (Optional)	Select this option to enable or disable a user in the BMC application. If you disable a user who is currently logged in to a BMC application, ensure that you invalidate the old sessions or OAuth2 tokens (if any) of the user. For more information, see Invalidating and configuring end user sessions.
Force user to reset password (Optional)	Select this option to force a local user to reset password. For more information, see To force a local user to reset password.

Click Add.

Login name requirements for a local user account

The example of the valid login name - user 123

The login name is case insensitive.
The login name length must be between 1 and 255 characters.
The login name cannot contain any of these characters "+,:;<=>?[]|
The login name cannot contain the designated list of Unicode special characters

Expand to see the list of unsupported characters

Decimal	Hexadecimal	UTF-8 Hex	Name of the character	Unicode description
0	U+0000	00	?	Control character: Null
1	U+0001	01		Control character: Start Of Heading
2	U+0002	02		Control character: Start Of Text
3	U+0003	03		Control character: End Of Text
4	U+0004	04		Control character: End Of Transmission
5	U+0005	05		Control character: Enquiry
6	U+0006	06		Control character: Acknowledge
7	U+0007	07		Control character: Bell
8	U+0008	08		Control character: Backspace
9	U+0009	09		Control character: Character Tabulation
10	U+000A	0A		Control character: Line Feed (lf)
11	U+000B	0B		Control character: Line Tabulation
12	U+000C	0C		Control character: Form Feed (ff)
13	U+000D	0D		Control character: Carriage Return (cr)
14	U+000E	0E		Control character: Shift Out
15	U+000F	0F		Control character: Shift In
16	U+0010	10		Control character: Data Link Escape
17	U+0011	11		Control character: Device Control One
18	U+0012	12		Control character: Device Control Two
19	U+0013	13		Control character: Device Control Three
20	U+0014	14		Control character: Device Control Four
21	U+0015	15		Control character: Negative Acknowledge
22	U+0016	16		Control character: Synchronous Idle
23	U+0017	17		Control character: End Of Transmission Block
24	U+0018	18		Control character: Cancel
25	U+0019	19		Control character: End Of Medium
26	U+001A	1A		Control character: Substitute
27	U+001B	1B		Control character: Escape
28	U+001C	1C		Control character: Information Separator Four
29	U+001D	1D		Control character: Information Separator Three
30	U+001E	1E		Control character: Information Separator Two
31	U+001F	1F		Control character: Information Separator One
127	U+007F	7F		Control character: Delete
128	U+0080	C2 80	€	Control Character or Euro Sign
129	U+0081	C2 81	?	Control character: Unknown
130	U+0082	C2 82	‚	Control character: Break Permitted Here
131	U+0083	C2 83	ƒ	Control character: No Break Here
132	U+0084	C2 84	„	Control character: Unknown
133	U+0085	C2 85	…	Control character: Next Line (nel)
134	U+0086	C2 86	†	Control character: Start Of Selected Area
135	U+0087	C2 87	‡	Control character: End Of Selected Area
136	U+0088	C2 88	ˆ	Control character: Character Tabulation Set
137	U+0089	C2 89	‰	Control character: Character Tabulation With Justification
138	U+008A	C2 8A	Š	Control character: Line Tabulation Set
139	U+008B	C2 8B	‹	Control character: Partial Line Forward
140	U+008C	C2 8C	Œ	Control character: Partial Line Backward
141	U+008D	C2 8D	?	Control character: Reverse Line Feed
142	U+008E	C2 8E	Ž	Control character: Single Shift Two
143	U+008F	C2 8F	?	Control character: Single Shift Three
144	U+0090	C2 90	?	Control character: Device Control String
145	U+0091	C2 91	‘	Control character: Private Use One
146	U+0092	C2 92	’	Control character: Private Use Two
147	U+0093	C2 93	“	Control character: Set Transmit State
148	U+0094	C2 94	”	Control character: Cancel Character
149	U+0095	C2 95	•	Control character: Message Waiting
150	U+0096	C2 96	–	Control character: Start Of Guarded Area
151	U+0097	C2 97	—	Control character: End Of Guarded Area
152	U+0098	C2 98	˜	Control character: Start Of String
153	U+0099	C2 99	™	Control character: Unknown
154	U+009A	C2 9A	š	Control character: Single Character Introducer
155	U+009B	C2 9B	›	Control character: Control Sequence Introducer
156	U+009C	C2 9C	œ	Control character: String Terminator
157	U+009D	C2 9D	?	Control character: Operating System Command
158	U+009E	C2 9E	ž	Control character: Privacy Message
159	U+009F	C2 9F	Ÿ	Control character: Application Program Command
160	U+00A0	C2 A0		No-break Space

The login name cannot contain the designated list of Unicode space characters and zero-width spaces.

Expand to see the list

Code	Name of the character	Sample	Width of the character
U+1680	OGHAM SPACE MARK	foo?bar	Unspecified; usually not really a space but a dash
U+180E	MONGOLIAN VOWEL SEPARATOR	foo?bar	0
U+2007	FIGURE SPACE	foo?bar	“Tabular width”, the width of digits
U+2008	PUNCTUATION SPACE	foo?bar	The width of a period “.”
U+200A	HAIR SPACE	foo?bar	Narrower than THIN SPACE
U+200B	ZERO WIDTH SPACE	foo?bar	0
U+202F	NARROW NO-BREAK SPACE	foo?bar	Narrower than NO-BREAK SPACE (or SPACE), “typically the width of a thin space or a mid space”
U+205F	MEDIUM MATHEMATICAL SPACE	foo?bar	4/18 em
U+FEFF	ZERO WIDTH NO-BREAK SPACE	foobar	0
U+2000	EN QUAD	foo bar	1 en (= 1/2 em)
U+2001	EM QUAD	foo bar	1 em (nominally, the height of the font)
U+2004	THREE-PER-EM SPACE (thick space)	foo bar	1/3 em
U+2005	FOUR-PER-EM SPACE (mid space)	foo bar	1/4 em
U+2006	SIX-PER-EM SPACE	foo bar	1/6 em
U+3000	IDEOGRAPHIC SPACE	foo bar	The width of ideographic (CJK) characters.
U+2002	EN SPACE (nut)	foo bar	1 en (= 1/2 em)
U+2003	EM SPACE (mutton)	foo bar	1 em
U+2009	THIN SPACE	foo bar	1/5 em (or sometimes 1/6 em)

To change a local user's password

Log in to the BMC Helix SSO Admin Console.
Select Local User > Users.
From the Realm list, select a realm.
Locate the user, and in the Action column, click Change Password.
In the New Password field, enter the new password, and the Confirm Password field, enter the password again.
Click Change Password.
All local users' sessions are removed after the password change.

To enable the lockout functionality for local users

Local user account lockout is configurable per tenant. This functionality is not available in the chaining mode.

Log in to the BMC Helix SSO Admin Console.
Select Local User > Configuration.
In Lockout threshold, select the number of unsuccessful login attempts after which the local user's account is locked.
Important

To disable the account lockout functionality, select 0.
For example, if you select 3, the local user will be locked after the third attempt to log in with an incorrect password.
For fresh installation and newly created tenants on the upgraded environment, the default lockout threshold is 5. For upgrade, the default value is 0.
The number of unsuccessful login attempts is calculated within 1 min.
In Lockout interval, select the duration for which the local user account is locked.
The default lockout interval is 30 min.

To unlock a locked local user account

Log in to the BMC Helix SSO Admin Console.
Select Local User > Users.
Click the lock icon.

A locked local user account can also be unlocked in the following ways:

The system unlocks the local user account automatically within 10 min after the lockout interval expires.
Local users unlock themselves when providing correct credentials after the lockout interval expires.

The cross and lock icons are shown when a local user is locked.

The following screenshot shows the local user's login page after the user has provided correct credentials, but the account has been locked:

To force a local user to reset password

For security reasons, the BMC Helix SSO administrator can force users to reset password when they successfully log in to the BMC application integrated with BMC Helix SSO. Users must enter a new password that is not the same as previous. After the user resets the password, the Force user to reset password check box becomes cleared.

Log in to the BMC Helix SSO Admin Console.
Select Local User > Users.
From the Realm list, select a realm.
Locate the user, and in the Action column, click Edit User.
Select the Force user to reset password check box.
You can also select this check box while adding a local user.
Click Save.
(Optional) To force several users to reset password, repeat steps 3-6.

The following screenshot shows the local user's login page after forced password reset:

To search for a local user

Log in to the BMC Helix SSO Admin Console.
Select Local User > Users.
In the Users tab search field, enter the search criteria by using the following format:
text=<searchText/*> AND enabled=<true/false/*>
Click Enter.

The following table describes how to use the search criteria:

Search criteria Description

text=<searchText/*>

Use text= to enter a string to search for the value of one of the following fields:

User Name
Login Name
Description

You can pass a partial search value enclosed in % for text to search for all users having the partial search value in one of the User Name, Login Name, or Description fields.

You can use an asterisk as a wildcard to return all users.

Examples:

text=BMC returns users with the exact value of "BMC" in one of the 3 fields.
text=%BMC% returns users with "BMC" as a partial value, such as "BMCadmin" as User Name.
text=* AND enabled=true returns all enabled users.

enabled=<true/false/*>

Use enabled= to enter a string to search on users' enabled state.

You can use an asterisk as a wildcard to return users in any enabled state.