Managing system users
As well as being the means of controlling user security, a user is actually set up on the system as a Person data object, and can subsequently be associated with other objects.
All actions on the system are recorded against a user's ID for audit purposes. Users should always use their own ID and keep their security details safe.
Creating a new user
The BMC Discovery Administrator can set up new users and assign them to groups. Before creating users, you must ensure that you have set up all the groups that you need. For more information, see Managing-groups.
To create a new user
- From the Users page, click Add at the bottom of the page.
In the Add User page, enter details for the new user:
Field Name
Details
Template
Select one of the following user types:
• User to create a standard UI login user account.
• API Access to create a user account only to be used for access to an API.
• Event Source to create a user account only to be used as an event source.
The appropriate fields are enabled or disabled to make populating the user details simpler. For example an API user does not require a password, so the password field are disabled.Username
Login ID of the user.
Full Name
Full name of the user.
Local Login
Permit Local Login. By default, this option is selected to enable the new user to log in using the local login credentials (besides the BMC Helix SSO credentials). You should permit local login access to one or more administrative users to ensure that you maintain access to the system.
Make sure to deselect this option if you want the user to log in only through BMC Helix SSO.Password
Password to be allocated to this user. Not used for API Access or Event Source users.
Verify Password
Verify the password; it must match. Not used for API Access or Event Source users.
Password Rules
(Read-only display) Rules that are used to validate the password strength.
Options
Force Password Change On First Login. Specifies that users must change their password when they first login. You can deselect this option if you do not want to force new users to change their passwords, though this is not recommended.
Groups
One or more groups that this user will be a member of. By default, all new users are members of the public group.
For API Access users, the api-access and never-deactivate check boxes are automatically selected.
For Event Source users, the event-source and never-deactivate check boxes are automatically selected.
- To save your changes, click OK.
Amending a user's details
You can change a user's name and the groups that they are a member of. The access defined by the group membership will apply the next time this user logs on.
To amend a user's details
- From the Users page, select Edit from the Action list for the user.
The Set Password page is displayed. - Amend or overwrite Full Name field.
- Select one or more Groups that this user is to be a member of.
- To save the changes, click OK.
Changing a user's password
If users forget their passwords or if a password is not kept secure, you can assign a new password.
To set a new password for a user
From the Users page, select Set Password from the Action list for the user.
The page is redisplayed, showing blank Password fields. The existing password is not displayed.If the password policy requires a password to be changed, the label "MUST be changed" is displayed next to the user.
Enter a new password for this user in the Password field. Confirm the password in the Verify Password field.
- To save the changes, click Apply. The new password will apply the next time the user attempts to log on.
You can also specify that the user changes their password on their next login. To do this, select Must Change Password from the Action list for the user.
The preferred way to set or reset user passwords is using the UI. However, you can also change users passwords at the command line.
Generating an API token for an account
API Access and Event Source accounts do not have passwords, they use a generated token to enable external clients to make API calls using that account. You can also create a token for any other user account, with the exception of the system user, so that API calls can be made using that account.
API Access users can access the REST API using a token. To connect to the CSV or XML export APIs, a user must connect with a username and password.
To generate an API token for a user
- From the Users page, select Generate API Token from the Action list for the user.
A dialog is displayed containing the token. - Copy the token and save it for use by external clients.
You cannot revoke an API token for an existing user. You must delete the user.
Preventing a user logging in with a username and password
You might want to prevent a user logging in with a username and password, for example, if the user account is authenticated using a single sign-on system. To do this:
From the Users page, select Deny password login from the Action list for the user account.
Reactivating a user account
If a user's account is not used for a specified period of time, their account is deactivated.
See Managing-security-policies for information about configuring account deactivation.
To reactivate a deactivated user account, you must be logged in as a member of the unlocker group, and reactivating user accounts must be enabled in the Security Policy page. You can also deactivate a user's account manually.
A deactivated account is never automatically reactivated.
To reactivate a locked user account
- Check that account reactivation is allowed. (see Managing-security-policies)
- From the Users page, select Reactivate from the Action list for the user account to be reactivated.
Unblocking a user account
If a user unsuccessfully attempts to log in to their account more than the account blocking threshold, their account is blocked. See Managing-security-policies for information about configuring account blocking.You must be logged in as a member of the unlocker group.
To unblock a locked user account
From the Users page, select Unblock from the Action list for the user account to be reactivated.
Deleting a user
You can delete any existing user except for yourself or the default system-created users.
To delete an existing user
From the Users page, select Delete from the Action list for the user.
User permissions
User permissions in BMC Discovery are additive. When you grant a user an additional permission (through adding the user to another group), that permission is added to the user's existing permissions. For example, if you grant appmodel permissions to a user with discovery permissions, the user gains no additional permissions because all of the appmodel permissions were already granted in the discovery permission set. Similarly, you cannot add readonly permissions to a system user in the hope of achieving a read-only system user.