Managing local users and passwords
As a BMC Helix Single Sign-On administrator, you can create users stored locally on the BMC Helix Single Sign-On server for any realm with Local authentication type. Local users can access applications belonging to their realm. You can also add local groups, and then add users to these groups. Groups represent roles in your organization and can be used to control access to applications for which the single sign-on experience is enabled. For the difference between user, end user, and local user, see Glossary.
Creating and managing local users in the BMC Helix SSO Admin Console
If you have a realm configured for Local authentication on the BMC Helix SSO, then you should perform the following tasks in the BMC Helix SSO Admin Console:
- Create local users for a realm.
- (Optional) Create groups needed by your organization, and then add users to the appropriate groups.
Before you begin
Configure a realm for Local authentication.
To add a local user
- Log in to the BMC Helix SSO Admin Console.
Select Local User > Users.
From the Realm list, select a realm.
Important
To authenticate a user in all realms available on your BMC Helix SSO server, add it to the default _empty_ realm. This is a technical realm, and it is not shown on the Realms page.
Users added to the _empty_ realm can access applications from any realm available on the BMC Helix SSO server.
Click Add User, and complete the following fields:
Field Description Login Name Enter the user's login name that must correspond to the requirements.
Note: You cannot modify the login name after it is created.
User Name Enter the user's full name. Password Enter the user's password. Password must be different from login and email, be between 8 and 128 characters, contain uppercase letters, lowercase letters, digits, and special characters. Do not use space as the first or the last character of the password. Spaces are allowed between the first and the last character. Confirm Password Reenter the user's password. Description (Optional) Provide a description of the user. Enabled (Optional) Select this option to enable or disable a user in the BMC application. If you disable a user who is currently logged in to a BMC application, ensure that you invalidate the old sessions or OAuth2 tokens (if any) of the user. For more information, see Invalidating and configuring end user sessions. Force user to reset password (Optional) Select this option to force a local user to reset password. For more information, see To force a local user to reset password.
Click Add.
Login name requirements for a local user account
The example of the valid login name - user 123
- The login name is case insensitive.
- The login name length must be between 1 and 255 characters.
- The login name cannot contain any of these characters "+,:;<=>?[]|
- The login name cannot contain the designated list of Unicode special characters
- The login name cannot contain the designated list of Unicode space characters and zero-width spaces.
To change a local user's password
- Log in to the BMC Helix SSO Admin Console.
Select Local User > Users.
From the Realm list, select a realm.
- Locate the user, and in the Action column, click Change Password.
- In the New Password field, enter the new password, and the Confirm Password field, enter the password again.
- Click Change Password.
All local users' sessions are removed after the password change.
To enable the lockout functionality for local users
Local user account lockout is configurable per tenant. This functionality is not available in the chaining mode.
- Log in to the BMC Helix SSO Admin Console.
- Select Local User > Configuration.
In Lockout threshold, select the number of unsuccessful login attempts after which the local user's account is locked.
Important
To disable the account lockout functionality, select 0.For example, if you select 3, the local user will be locked after the third attempt to log in with an incorrect password.
For fresh installation and newly created tenants on the upgraded environment, the default lockout threshold is 5. For upgrade, the default value is 0.
The number of unsuccessful login attempts is calculated within 1 min.In Lockout interval, select the duration for which the local user account is locked.
The default lockout interval is 30 min.
To unlock a locked local user account
- Log in to the BMC Helix SSO Admin Console.
- Select Local User > Users.
- Click the lock icon.
A locked local user account can also be unlocked in the following ways:
- The system unlocks the local user account automatically within 10 min after the lockout interval expires.
- Local users unlock themselves when providing correct credentials after the lockout interval expires.
The cross and lock icons are shown when a local user is locked.
The following screenshot shows the local user's login page after the user has provided correct credentials, but the account has been locked:
To force a local user to reset password
For security reasons, the BMC Helix SSO administrator can force users to reset password when they successfully log in to the BMC application integrated with BMC Helix SSO. Users must enter a new password that is not the same as previous. After the user resets the password, the Force user to reset password check box becomes cleared.
- Log in to the BMC Helix SSO Admin Console.
- Select Local User > Users.
- From the Realm list, select a realm.
- Locate the user, and in the Action column, click Edit User.
- Select the Force user to reset password check box.
You can also select this check box while adding a local user. - Click Save.
- (Optional) To force several users to reset password, repeat steps 3-6.
The following screenshot shows the local user's login page after forced password reset:
To search for a local user
- Log in to the BMC Helix SSO Admin Console.
Select Local User > Users.
In the Users tab search field, enter the search criteria by using the following format:
text=<searchText/*> AND enabled=<true/false/*>
Click Enter.
The following table describes how to use the search criteria:
Search criteria | Description |
---|---|
text= | Use
You can pass a partial search value enclosed in You can use an asterisk as a wildcard to return all users. Examples:
|
enabled=<true/false/*> | Use You can use an asterisk as a wildcard to return users in any enabled state. Examples:
|
To add a group to a realm
- Log in to the BMC Helix SSO Admin Console.
- Select Local User > Groups.
- From the Realm list, select a realm.
Click Add Group, and complete the following fields:
Field Description Group Name Enter the group name.
You cannot modify the group name after it is created.
Description Enter a description for the group name. In the Action column, click Save.
To add or remove local users from a group
- Log in to the BMC Helix SSO Admin Console.
- Select the Local User > Groups.
- From the Realm list, select a realm.
- Locate the group and, in the Action column, click Assign/Remove User(s).
- Use the appropriate procedure to assign or remove users to or from the group.
- To assign users to a group
- In the Available users column, select one or more users and click Assign to move the users to the Assigned users column.
- To assign all users in the list, in the Available users column, select the top check box and click Assign to move the users to the Assigned users column.
- Search for users in the Search field of the Available users column, select them, and click Assign to move them to the Assigned users column.
- To remove users from a group
- In the Assigned users column, select one or more users and click Remove to move the users to the Available users column.
- To remove all users in the list, select the top check box in the Assigned users column, and click Remove to move the users to the Available users column.
- Search for users in the Search field of the Assigned users column, select them, and click Remove to move them to the Available users column.
- To assign users to a group
- Click Done.
Comments
Log in or register to comment.