User identities

You can control access to BMC Helix Portal integrated products and common services by managing user identities and user access. 

User identity types

Based on the type of access, users in BMC Helix Portal can be local or external.

The following image describes the types of user access:

User identities.PNG

The following table provides information about the different types of user access:


Local user access

You can create and manage users locally on  BMC Helix Portal. Helix Single Sign-On is used for authenticating users into BMC Helix Portal.

Users can be of two types:

  • Users that require console access
  • Users that require programmatic access

 For more information, see User-access-and-keys

Local users can perform the following operations if they have appropriate permissions:

  • Create, view, and delete other local users, and update their own details. 
  • Create, view, and delete external IdP users.
  • View and delete synced users.


External IdP user access

Helix Single Sign-On is used as an authentication mechanism for BMC Helix Portal. If you already manage user identities by using an external identity provider (IdP), you can import such users and groups into BMC Helix Portal. Helix Single Sign-On supports IdPs that are compatible with various authentication mechanisms. For more information, see Configuring authentication

External IdP users can authenticate into BMC Helix Portal by using their existing credentials. Thus, you can manage users and groups outside of BMC Helix Portal and give these users and groups permissions to use the BMC Helix Portal integrated products and common services. 

To enable IdP users to access BMC Helix Portal, you need to establish a trust relationship between Helix Single Sign-On and your IdP. For this, you need to request the BMC SaaS Operations team to configure your IdP. For more information, contact BMC Support

Based on the volume of users and groups to sync, you can use one of the following approaches for the import and sync:

The imported or synced users and groups are created with the type External. After the import, these users need to be provided appropriate permissions by assigning them to the appropriate roles. However, we recommend that you assign the users to groups and then assign the groups to roles. Then, the users will inherit the permissions from the roles. 

Warning

After you move from local to external IdP authentication, all the local users (including the tenant administrator) cannot access the BMC Helix Portal console.

Therefore, before importing, as a tenant administrator, do one of the following actions based on whether you possess the login credentials of an IdP admin user:

  • Create an external user with the same login ID as the IdP admin user. Then, associate the external user(s) to a role with all permissions or at a minimum all permissions to the Identity Management Service application or service.
    After the import, the IdP admin user can log on to BMC Helix Portal and associate the imported users with the relevant roles containing appropriate permissions.

  • Create a default role and assign appropriate permissions to the role. At a minimum, assign all permissions to the Identity Management Service application or service.

    What is the impact of creating a default role?

    The users (authenticated in Helix Single Sign-On)  that are dynamically logged in to the system are automatically assigned to the default role in BMC Helix Portal. These users inherit access permissions from the default role and are listed on the User access > Users and keys page. Later, you can assign the users to other roles containing more appropriate permissions and delete the default role.

Tip

Some integrated products might require an additional step for providing permissions to users. For example, BMC Helix Operations Management requires you to assign user groups to authorization profiles in BMC Helix Operations Management.


External IdP users can perform the following operations if they have appropriate permissions:

  • View and delete local users.
  • Create, view, and delete other external IdP users, and they can update their own details. 
  • View and delete other synced users.


Cross-product user access

BMC Helix Portal can share access with BMC Helix ITSM users so that the BMC Helix ITSM users can use their existing credentials to authenticate into BMC Helix Portal. To share access, the BMC SaaS Operations team needs to perform some configurations and sync the BMC Helix ITSM users into BMC Helix Portal.

Best practice

When you sync the BMC Helix ITSM users into BMC Helix Portal, make sure that you use the user name in the same case as specified in BMC Helix ITSM.  That is, the user name is case sensitive. 

All the licensed users (fixed, floating, and bundled users) and the relevant logical user groups are synced. For more information, contact BMC Support

Licensed user - User group

When the BMC Helix ITSM: Smart IT users are imported and synced in BMC Helix Portal, by default they are added to the Licensed User user group.

After the configuration:

  • The synced users are displayed on the User access > Users and keys page.
  • The synced user groups associated with these users are displayed on the User accessUser groups page. 
  • The user groups are automatically mapped with the correct roles containing appropriate permissions in BMC Helix Portal.
  • If a read-only user (with the license type, Read and Restricted Read) logs on to BMC Helix Portal:
    • The read-only user is dynamically synced and displayed on the User accessUsers and keys page. 
    • The user profile information, logical groups, and permissions associated with the user are inherited and imported into BMC Helix Portal and the groups and permissions are mapped to the read-only user. 

BMC Helix Portal allows users (authenticated by Helix Single Sign-On or LDAP) to dynamically log in to the system. However, for such users, the First name, Last name, and Email address details are not available. Due to this, users might not receive the notifications for the activities done in BMC Helix Portal. BMC recommends that each individual user must update their profile information. For more information, see Viewing-and-modifying-your-profile-information.  

How can dynamically logged in users fetch the First name, Last name, and Email address?

In the Configure > Users and keys page, to fetch the user name of the users that are dynamically logged in to In the BMC Helix Portal, do the following:

  • Configure the First name, Last name, and Email ID attributes in the SAML assertion. 
    Example of the attribute statements: 
</saml:Attribute> <saml:Attribute Name="First name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue> </saml:Attribute>
<saml:Attribute Name="Last name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xs:string">testuser</saml:AttributeValue> 
</saml:Attribute> <saml:Attribute Name="Login ID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xs:string">1234</saml:AttributeValue>
 </saml:Attribute> <saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xs:string">test@bmc.com</saml:AttributeValue>

Depending on the IdP provider, the attribute names can differ. If the attribute names are different, then share the file with BMC SaaS Operations team.

  • Request BMC SaaS Operations team at BMC Support to make the required changes.


Synced users cannot be created or updated from the BMC Helix Portal console. When a user profile is deleted or marked as disabled in BMC Helix ITSM, the user is deleted or marked as deactivated in BMC Helix Portal. Similarly, when the user profile is enabled in BMC Helix ITSM, the user is activated in BMC Helix Portal.

These users can perform the following operations if they have appropriate permissions:

  • View and delete other local users.
  • Create, view, and delete other external IdP users.
  • View and delete other synced users. 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*