Roles and permissions for BMC Helix Portal

BMC Helix Automation Consoleleverages BMC Helix Portal to provide single sign-on authentication for users.

As an administrator, you can configure role-based access control (RBAC) to delegate access permissions to users and groups of users in BMC Helix Portal. However, you cannot create new permissions.

To view the out-of-the-box roles inherited from the integrated products in BMC Helix Portal, see Roles and permissions.

As a tenant administrator in BMC Helix Portal, you can set up additional roles and assign appropriate permissions to them. For more information on creating, editing, and deleting roles in BMC Helix Portal, see Setting up roles and permissions.

Related topics

Product-overview
Roles and permissions

 

Consult the following table to understand the available access permissions for different functions and roles, and the capabilities assigned to each role.

User flows

Minimum permissions required

Allowed actions

To integrate with BMC Helix Intelligent Automation for vulnerability remediation

Non-admin users need the specified minimum permissions to create and execute vulnerability remediation operations.

Automation Console

  • Manage security group
  • View security group
  • Manage SLA
  • View SLA
  • Manage vulnerability scan
  • Close vulnerability
  • Perform vulnerability operations
  • View vulnerability
  • View vulnerability exceptions
  • Manage vulnerability exceptions
  • View security groups
  • Add new security group
  • Update security group
  • Delete security group
  • View scan files
  • View Assets/Vulnerabilities records
  • Create exceptions
  • Disable exceptions
  • Remove exceptions
  • Edit exception date

Core

  • List Credentials
  • View Credentials
  • Manage Credentials

The user can perform all actions on credentials

Intelligent Automation

  • Read Action
  • Manage Action
  • Execute Action
  • Manage Action library
  • Read Action library
  • Manage connector
  • Read connector
  • Publish policy
  • Read policy
  • Manage policy
  • Manage remote plugin
  • Read remote plugin

 

Identity Management Service

  • List access keys
  • Read access keys
  • List users
  • Read users
  • List all access keys
  • List all users
  • Access the Users and keys > Users page.

Vulnerability Manager

These permissions are granted to the Vulnerability Manager, an out-of-the-box role.

Automation Console

  • Manage vulnerability scans
  • View vulnerability
  • Close vulnerability
  • View vulnerability exceptions
  • Manage vulnerability exceptions
  • Perform vulnerability operations
  • View security groups
  • Manage security groups
  • Manage SLAs
  • View SLAs
  • Manage tags
  • Manage connectors
  • View connectors
  • Assign category
  • Manage category

The Vulnerability Manager can perform all actions on vulnerabilities. 

aiops

  • View overview
  • View services
  • Manage services

To perform import operation of scan files

If a user wants to import a scan file, then this role will require the minimum permissions as specified.

  • Manage vulnerability scans
  • View security groups
  • View SLAs
  • Import Scan files
  • View Scans
  • Remove a scan file
  • Export asset and vulnerability records
  • Share scan file with other users

Non-admin vulnerability view only

A non-admin user role who can only view vulnerabilities will require the minimum permissions as specified.

  • View vulnerability
  • View security groups
  • View SLAs
  • View scan files
  • View Assets/Vulnerabilities records
  • Export records

To close vulnerabilities

If a user wants a role that can only close vulnerabilities will require the minimum permissions as specified.

  • View SLAs
  • View security groups
  • View vulnerabilities
  • Close vulnerabilities
  • Manually close vulnerability
  • Auto-close vulnerability

To manage exceptions

If a user wants a role to manage vulnerability exceptions will require the minimum permissions as specified.

  • View SLAs
  • View security groups
  • View vulnerabilities
  • Manage vulnerability exceptions
  • Create exceptions
  • Disable exceptions
  • Remove exceptions
  • Edit exception date

Non-admin exception view only

A non-admin user who can only view vulnerability exceptions will require the minimum permissions as specified.

  • View security groups
  • View vulnerabilities
  • View vulnerability exceptions
  • View created exceptions

To manage asset and vulnerability tags

If a user wants a role to manage assets and tags will require the minimum permissions as specified.

  • Manage tags
  • Manage vulnerability scans
  • Manage patch policies
  • Create scanned/managed/risk tags
  • Update scanned/managed/risk tags
  • Delete scanned/managed/risk tags

To manage patch policies

If a user wants a role to manage patches will require the minimum permissions as specified.

  • Manage catalogs
  • Manage patch policies
  • View SLAs
  • View security groups
  • Add patches
  • Edit patches
  • Execute patching jobs
  • Disable patches
  • Remove patches
  • View list of patches
  • View results of patching jobs
  • View Managed Assets > Missing Patches Count
  • Navigate to Risks > Missing Patches page
  • Navigate to Patch dashboard
  • Export patch data

To view catalogs

A non-admin user who can only view catalogs will require the minimum permissions as specified.

  • View catalogs
  • View SLAs
  • View security groups
  • View the list of imported catalogs

To manage compliance operations

If a user wants a role to manage compliance will require the minimum permissions as specified.

  • Manage compliance
  • Create compliance policy
  • Disable compliance policy
  • Remove compliance policy
  • Execute Now compliance policy
  • Compliance Dashboard 
  • Assets > Managed Assets > Compliance Violations
  • Risks > Compliance

To add connectors

If a user wants a role to add and manage connectors will require the minimum permissions as specified.

  • Manage connectors
  • Add new connector
  • Update connector
  • Enable connector 
  • Disable connector
  • Download connector

To view connectors

If a user wants a role to only view connectors will require the minimum permissions as specified.

  • View connectors
  • View connectors

Important: This user role can be combined with other user roles.

To perform remediation operations

If a user wants a role to perform the following actions will require the minimum permissions as specified:

  • remediate patches
  • remediate compliance
  • remediate adhoc operations
  • Manage patch policy
  • Manage tags
  • Manage operations template
  • Manage connector
  • View security group
  • View SLAs
  • View catalogs
  • Add operation
    • Remediate from Patch dashboard page
    • Remediate from Operations page
  • Add operation from patch template
  • Add operation template
  • Delete operation
  • Edit operation
  • View operations
  • Change ticket
  • Manage compliance operations
  • Manage compliance
  • Manage tags
  • Manage connectors
  • View security groups
  • View SLAs
  • Add operation 
    • Remediate from Compliance Dashboard page
    • Remediate from operations page
  • Delete operation
  • View operations
  • Change ticket
  • Manage adhoc operations
  • Manage tags
  • Manage connectors
  • View security group
  • View SLAs
  • Add operation
  • Delete operation
  • View operations
  • Change ticket

To remediate vulnerabilities

If a user wants a role to perform remediation and vulnerability operations will require the minimum permissions as specified.

  • View SLAs
  • View security groups
  • Manage vulnerability scans
  • Perform vulnerability operations
  • Add operation
  • Delete operation
  • View operations
  • Change ticket
  • Import scan files
  • View scans
  • Remove a scan file
  • Export asset and vulnerability records
  • Share scan file with other users

Default permissions assigned for TrueSight Server Automation roles in BMC Helix Portal

A role is created in BMC Helix Portal, with the same name as provided in the Server Automation Role Name field while configuring the TrueSight Server Automation connector. This role has the default permissions, as shown in the table below:

Important

In the case of an existing role in BMC Helix Portal, the default permissions may not apply, and you will need to assign or modify the permissions manually.

Role

Permissions 

Connector

  • Manage 
  • View 

Vulnerability

  • Manage Scan
  • View
  • Close
  • Exception View
  • Exception Manage
  • Vulnerability Operation

Patch policy

Manage 

Security group

  • Manage
  • View

SLA

  • Manage 
  • View 

Catalog

  • Manage 
  • View 

Compliance

Manage 

Tag

Manage 

Operation

  • Manage Patch 
  • Manage Compliance
  • Manage Adhoc 

Operation template

  • Manage
  • View 

When you import a security group into TrueSight Server Automation endpoint, a role with the same name is created in the BMC Helix Portal, with the following default permissions, as shown in the table below:

Role

Permissions

Connector

View 

Vulnerability

  • Manage Scan
  • View 
  • Close
  • Exception View 
  • Vulnerability Operation

Patch policy

Manage

Security group

View

SLA

View

Catalog

View 

Compliance

Manage 

Tag

Manage 

Operation

  • Manage Patch 
  • Manage Compliance 
  • Manage Adhoc 

Operation template

  • Manage
  • View

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*