Roles and permissions
User roles
As an administrator in the BMC Helix SSO Admin Console, you can have one of the following roles:
Role | Description |
|---|---|
SaaS administrator | SaaS administrator users have full rights to create, activate, delete, or temporarily deactivate other tenants. Users with this role can view and change the configuration of any tenant registered on the BMC Helix SSO server. From the SaaS tenant, SaaS administrators can create other SaaS administrator users. From a customer tenant, SaaS administrators can create tenant administrator users. |
Tenant administrator | Tenant administrator users have full rights to manage local users for realms in their tenant. Tenant administrators cannot do anything else in the BMC Helix SSO Admin Console. |
Permissions in the BMC Helix SSO Admin Console
Depending on your role, you have the following permissions for accessing features in the BMC Helix SSO Admin Console:
Feature in the BMC Helix SSO Admin Console | SaaS administrator | Tenant administrator | Reference |
|---|---|---|---|
BMC Helix SSO server configuration | Supported | Not supported | |
BMC Helix SSO server configuration import and export | Supported | Not supported | |
Realms management | Supported | Not supported | |
User sessions management | Supported | Not supported | |
Local users management | Supported | Supported | |
OAuth 2.0 clients management | Supported | Not supported | |
LaunchPad applications management | Supported | Not supported | |
Administrator users management | Supported | Not supported | |
Tenant management | Supported | Not supported |
The login and logout activities of all users in BMC Helix SSO are displayed in the BMC Helix SSO log files.
How users can be created on the BMC Helix SSO server
You can create administrator users who have access and perform tasks in the BMC Helix SSO Admin Console by one of the following methods:
- The default administrator user
- Internal administrator users on the server
- External LDAP users with granted administrator privileges for
The default administrator user
When a system administrator installs the BMC Helix SSO server, the SaaS administrator is by default created on the BMC Helix SSO server. For information about how to log in to the BMC Helix SSO Admin Console by using the credentials of the default internal administrator, see Verifying the installation.After the SaaS administrator logs in to the BMC Helix SSO server for the first time as the default administrator, the SaaS administrator can change the default password. For details about how to do this, see Setting-up-BMC-Helix-SSO-administrator-accounts.
Internal administrator users on the BMC Helix SSO server
SaaS administrators can create the following users in the BMC Helix SSO Admin Console from the Admin User tab.
- In the SaaS tenant, create SaaS administrators.
- In a customer tenant, create tenant administrators.
For information about how to create users, see Setting-up-BMC-Helix-SSO-administrator-accounts.
External LDAP users with granted administrator privileges for BMC Helix SSO
To distribute responsibility between BMC Helix SSO administrators, a SaaS administrator can grant administrator privileges to users from an external LDAP directory. External users can log in to the BMC Helix SSO Admin Console, and perform administrative tasks available to them.
To grant the SaaS administrator privileges to external users, in the SaaS tenant, a SaaS administrator must configure the LDAP authentication on the Server Configuration page in the BMC Helix SSO Admin Console.
To grant the tenant administrator privileges to external users, in a customer tenant, a SaaS administrator must configure LDAP authentication on the Server Configuration page in the BMC Helix SSO Admin Console.
For instructions on how to configure LDAP for external users, see Configuring-authentication-for-BMC-Helix-SSO-administrators.