Setting up BMC Helix SSO administrator accounts

As a SaaS administrator, you can create the following user accounts who will have access to the BMC Helix Single Sign-On Admin Console:

SaaS administrators—Users who have full administrative rights in the SaaS tenant and all customer tenants on the BMC Helix SSO server.
Tenant administrators—Users who have access to the BMC Helix SSO Admin Console of specific tenants and have restricted administrative rights for those tenants.

For more details about permissions of these users, see Roles and permissions.

Related topics

Configuring the BMC Helix SSO server

BMC Helix SSO multitenancy

Verifying the installation

To create a SaaS administrator account

As a SaaS administrator, log in to the BMC Helix SSO Admin Console.
Click the Admin User tab.
The list of administrator users is displayed.
Click Add Admin User.
On the Add Admin User page, enter the following details:
- Login—Name of the BMC Helix SSO administrator that must correspond to the requirements.

- Password—SaaS administrator's account password that must correspond to the requirements.
- Confirm Password

5. Click Save.

The SaaS administrator account is now added, and it is available in List of Admin Users.

To create a tenant administrator account

As a SaaS administrator, log in to the BMC Helix SSO Admin Console.
On the navigation panel, click Tenant.
From the list of tenants, select a tenant for which you would like to create a tenant administrator user account.
Click the pin icon to switch to the BMC Helix SSO Admin Console of the selected tenant.
On the navigation panel, click the Admin User tab.
The list of administrator users is displayed.
Click Add Admin User.
On the Add Admin User page, enter the following details:
- Login—Name of the BMC Helix SSO administrator that must correspond to the requirements.
- Password—Tenant administrator's account password that must correspond to the requirements.
- Confirm Password
Click Save.

The tenant administrator account is now added, and it is available in List of Admin Users.

Login name requirements for an administrator account

The example of the valid login name - user123

The login name is case insensitive.
The login name length must be between 1 and 255 characters.
The login name cannot contain any of these characters !"#$%&()*+,/:;<=>?[\]^`{|}~
The login name cannot contain the designated list of Unicode special characters.

Expand to see the list of unsupported characters

Decimal	Hexadecimal	UTF-8 Hex	Name of the character	Unicode description
0	U+0000	00	?	Control character: Null
1	U+0001	01		Control character: Start Of Heading
2	U+0002	02		Control character: Start Of Text
3	U+0003	03		Control character: End Of Text
4	U+0004	04		Control character: End Of Transmission
5	U+0005	05		Control character: Enquiry
6	U+0006	06		Control character: Acknowledge
7	U+0007	07		Control character: Bell
8	U+0008	08		Control character: Backspace
9	U+0009	09		Control character: Character Tabulation
10	U+000A	0A		Control character: Line Feed (lf)
11	U+000B	0B		Control character: Line Tabulation
12	U+000C	0C		Control character: Form Feed (ff)
13	U+000D	0D		Control character: Carriage Return (cr)
14	U+000E	0E		Control character: Shift Out
15	U+000F	0F		Control character: Shift In
16	U+0010	10		Control character: Data Link Escape
17	U+0011	11		Control character: Device Control One
18	U+0012	12		Control character: Device Control Two
19	U+0013	13		Control character: Device Control Three
20	U+0014	14		Control character: Device Control Four
21	U+0015	15		Control character: Negative Acknowledge
22	U+0016	16		Control character: Synchronous Idle
23	U+0017	17		Control character: End Of Transmission Block
24	U+0018	18		Control character: Cancel
25	U+0019	19		Control character: End Of Medium
26	U+001A	1A		Control character: Substitute
27	U+001B	1B		Control character: Escape
28	U+001C	1C		Control character: Information Separator Four
29	U+001D	1D		Control character: Information Separator Three
30	U+001E	1E		Control character: Information Separator Two
31	U+001F	1F		Control character: Information Separator One
32	U+0020	20		Space
127	U+007F	7F		Control character: Delete
128	U+0080	C2 80	€	Control Character or Euro Sign
129	U+0081	C2 81	?	Control character: Unknown
130	U+0082	C2 82	‚	Control character: Break Permitted Here
131	U+0083	C2 83	ƒ	Control character: No Break Here
132	U+0084	C2 84	„	Control character: Unknown
133	U+0085	C2 85	…	Control character: Next Line (nel)
134	U+0086	C2 86	†	Control character: Start Of Selected Area
135	U+0087	C2 87	‡	Control character: End Of Selected Area
136	U+0088	C2 88	ˆ	Control character: Character Tabulation Set
137	U+0089	C2 89	‰	Control character: Character Tabulation With Justification
138	U+008A	C2 8A	Š	Control character: Line Tabulation Set
139	U+008B	C2 8B	‹	Control character: Partial Line Forward
140	U+008C	C2 8C	Œ	Control character: Partial Line Backward
141	U+008D	C2 8D	?	Control character: Reverse Line Feed
142	U+008E	C2 8E	Ž	Control character: Single Shift Two
143	U+008F	C2 8F	?	Control character: Single Shift Three
144	U+0090	C2 90	?	Control character: Device Control String
145	U+0091	C2 91	‘	Control character: Private Use One
146	U+0092	C2 92	’	Control character: Private Use Two
147	U+0093	C2 93	“	Control character: Set Transmit State
148	U+0094	C2 94	”	Control character: Cancel Character
149	U+0095	C2 95	•	Control character: Message Waiting
150	U+0096	C2 96	–	Control character: Start Of Guarded Area
151	U+0097	C2 97	—	Control character: End Of Guarded Area
152	U+0098	C2 98	˜	Control character: Start Of String
153	U+0099	C2 99	™	Control character: Unknown
154	U+009A	C2 9A	š	Control character: Single Character Introducer
155	U+009B	C2 9B	›	Control character: Control Sequence Introducer
156	U+009C	C2 9C	œ	Control character: String Terminator
157	U+009D	C2 9D	?	Control character: Operating System Command
158	U+009E	C2 9E	ž	Control character: Privacy Message
159	U+009F	C2 9F	Ÿ	Control character: Application Program Command
160	U+00A0	C2 A0		No-break Space

The login name cannot contain the designated list of Unicode space characters and zero-width spaces.

Expand to see the list

Code	Name of the character	Sample	Width of the character
U+1680	OGHAM SPACE MARK	foo?bar	Unspecified; usually not really a space but a dash
U+180E	MONGOLIAN VOWEL SEPARATOR	foo?bar	0
U+2000	EN QUAD	foo bar	1 en (= 1/2 em)
U+2001	EM QUAD	foo bar	1 em (nominally, the height of the font)
U+2002	EN SPACE (nut)	foo bar	1 en (= 1/2 em)
U+2003	EM SPACE (mutton)	foo bar	1 em
U+2004	THREE-PER-EM SPACE (thick space)	foo bar	1/3 em
U+2005	FOUR-PER-EM SPACE (mid space)	foo bar	1/4 em
U+2006	SIX-PER-EM SPACE	foo bar	1/6 em
U+2007	FIGURE SPACE	foo?bar	“Tabular width”, the width of digits
U+2008	PUNCTUATION SPACE	foo?bar	The width of a period “.”
U+2009	THIN SPACE	foo bar	1/5 em (or sometimes 1/6 em)
U+200A	HAIR SPACE	foo?bar	Narrower than THIN SPACE
U+200B	ZERO WIDTH SPACE	foo?bar	0
U+202F	NARROW NO-BREAK SPACE	foo?bar	Narrower than NO-BREAK SPACE (or SPACE), “typically the width of a thin space or a mid space”
U+205F	MEDIUM MATHEMATICAL SPACE	foo?bar	4/18 em
U+3000	IDEOGRAPHIC SPACE	foo bar	The width of ideographic (CJK) characters.
U+FEFF	ZERO WIDTH NO-BREAK SPACE	foobar	0

Password requirements for an administrator account

The example of a valid password - Ab1%Cd2#

The password length must be between 8 and 128 characters.
You can use only ANSCII printable characters, and the password must contain characters from each of the following four categories:
- uppercase letters
- lowercase letters
- numeric characters
- special characters, except for a space character

User management tasks

Under the Action column on the Admin User tab, you can manage the administrator user accounts by performing the following tasks:

Task

Description

Lock or Unlock Admin User

If a user account has violated any policies, you can temporarily disable this user by locking the account. When you lock an administrator account, the current session of the administrator user does not get invalidated. You must manually invalidate the current session of this user. For information about how to invalidate a user session, see Invalidating and configuring end user sessions.

If an administrator exceeds the number of login attempts by trying to log in using an incorrect password, the administrator account is locked automatically if you have configured the automatic lockout feature. You can unlock an administrator user at any time.

Note: You cannot lock an administrator account under which you are currently logged in. To lock the account, you must log in to the BMC Helix SSO Admin Console as another administrator user.

Edit Admin User

You can change the password of an administrator. The password complexity is the same as for creating a new administrator.

Note: You cannot modify the login name after it is created.

Delete Admin User

You can delete an administrator account.

When you delete an administrator user account, the old sessions of the administrator user account do not get invalidated. You have to manually invalidate the old sessions of that administrator user.

Note: You cannot remove an account under which you are currently logged in. To remove the currently logged in user account, log in to the BMC Helix SSO Admin Console as another administrator user, and delete the required account.

To configure BMC Helix SSO to lock an administrator account automatically

You can configure BMC Helix SSO to automatically lock an administrator account in a case of a brute force attack. By default, this feature is enabled.

Log in to the BMC Helix SSO Admin Console.
Click the General tab.
Select Basic > Session Settings.
In the Admin Lockout Threshold field, select a value to set the maximum number of unsuccessful login attempts allowed by BMC Helix SSO within one minute.
If the number of login attempts exceeds the number of attempts that you have set, the administrator account will be locked automatically.
Important
- The default value is 0. The lockout feature is disabled when this value is set to 0.
- The lockout feature applies to internal administrators only.
Click Save.