Importing and syncing users and groups at logon time

As an LDAP administrator, you can enable the import of users and their associated groups from a SAML 2.0-based identity provider (IdP) in your company into BMC Helix Portal at logon time.

Best practice

If you have a small number of users and groups, you can perform the import at logon time. Otherwise, we recommend that you download, configure, and run the LDAP sync agent to sync users and groups along with their mapping. For more information, see Running-the-LDAP-sync-agent.

Each time a user logs on to the BMC Helix Portal console:

  • New users and groups are imported. 
  • Changes related to the existing users and groups are synced.

The imported users and groups are displayed in the same way as the manually created users and user groups, with the type External.

The imported users and groups are displayed on the User accessUser groups page and the User accessUsers page respectively. 


To import and sync users and groups at logon time

  1. Ensure that SAML is configured and user group sync is enabled. Contact BMC Support to configure Helix Single Sign-On as described in Configuring authentication.

  2. Use one of the following methods to import user details from the SAML assertion:
    • Import users and groups along with their mapping:
      To use this method, perform the following steps:
      1. Create an external user with the same login ID as the LDAP admin user. 
        For more information, see Setting-up-users-for-console-access.
      2. Assign the external user to a role with all permissions or at a minimum all permissions to the Identity Management Service application or service. 
        For more information, see Setting-up-roles-and-permissions.
      3. Ask users to log on to the BMC Helix Portal console.
        BMC Helix Portal updates the user and group membership in the following way:
        1. Logged-in users are automatically created with the type External.
        2. Groups associated with the logged-in users are automatically created with the type External. 
        3. Logged-in users are automatically mapped with the groups.
      4. Assign the imported groups to relevant roles with appropriate permissions.

    • Import users with their mapping information: Groups need to be created manually before the import and permissions need to be assigned to the groups. Doing this permission assignment, ensures that all the imported users are automatically mapped to the groups with appropriate permissions the very first time. This method is also useful for syncing changes made to the users and groups.

      Best practice

      If you are planning to use an integrated product that requires an additional step to provide permissions, we recommend this method.

      For example, in BMC Helix Operations Management you need to create authorization profiles to provide appropriate permissions to groups. To ensure that users have the appropriate permissions at logon time, you need to create groups in BMC Helix Portal. Then, you need to assign the groups to the appropriate roles in BMC Helix Portal and the appropriate authorization profiles in BMC Helix Operations Management.

      To use this method, perform the following steps:

      1. Create user groups with the same name as the groups managed by your IdP. 
        For more information, see Setting-up-user-groups.
      2. Assign the user groups to roles with appropriate permissions. 
        For more information, see Setting-up-roles-and-permissions.
      3. Ask users to log on to the BMC Helix Portal console.
        BMC Helix Portal updates the user and group membership in the following way:
        1. Logged-in users are automatically created with the type External.
        2. The existing user groups are updated with the new details from the IdP and the type is changed to External.
        3. The user groups are automatically mapped to the logged-in users.