This documentation supports the 21.05 (12.2) version of BMC Discovery.To view an earlier version of the product, select the version from the Product version menu.

Managing system users

The BMC Discovery Administrator is responsible for setting up details of all the users who are permitted to use the BMC Discovery system. Users are allocated a user name and a password, which they must enter in order to log in to the system. Each user is a member of one or more user groups, which define the parts of the system that user is permitted to access. For example, users defined as members of the Admin group are able to create and edit user details, while members of the Public group cannot access these areas.BMC Discovery can integrate with your corporate LDAP infrastructure. LDAP groups can be mapped to BMC Discovery groups and hence assigned permissions on the system. For information about setting up LDAP, see Managing-LDAP.

Related topics

Managing-users-and-security

Integrating with BMC Helix Single Sign-On

Managing-security-policies

Administering

As well as being the means of controlling user security, a user is actually set up on the system as a Person data object, and can subsequently be associated with other objects.

All actions on the system are recorded against a user's ID for audit purposes. Users should always use their own ID and keep their security details safe.

Creating a new user

The BMC Discovery Administrator can set up new users and assign them to groups. Before creating users, you must ensure that you have set up all the groups that you need. For more information, see Managing-groups.

To create a new user

  1. From the Users page, click Add at the bottom of the page.

  2. In the Add User page, enter details for the new user:

     Field Name

    Details

    Template

    Select one of the following user types:
      • User     to create a standard UI login user account.
     • API Access to create a user account only to be used for access to an API.
     • Event Source to create a user account only to be used as an event source.
    The appropriate fields are enabled or disabled to make populating the user details simpler. For example an API user does not require a password, so the password field are disabled.

    Username

    Login ID of the user.

    Full Name

    Full name of the user.

    Local Login

    Permit Local Login. By default, this option is selected to enable the new user to log in using the local login credentials (besides the BMC Helix SSO credentials). You should permit local login access to one or more administrative users to ensure that you maintain access to the system.
    Make sure to deselect this option if you want the user to log in only through BMC Helix SSO.

    Password

    Password to be allocated to this user. Not used for API Access or Event Source users.

    Verify Password

    Verify the password; it must match. Not used for API Access or Event Source users.

    Password Rules

    (Read-only display) Rules that are used to validate the password strength.

    Options

    Force Password Change On First Login. Specifies that users must change their password when they first login. You can deselect this option if you do not want to force new users to change their passwords, though this is not recommended.

    Groups

    One or more groups that this user will be a member of. By default, all new users are members of the public group.

    For API Access users, the api-access and never-deactivate check boxes are automatically selected.

    For Event Source users, the event-source and never-deactivate check boxes are automatically selected.

  3. To save your changes, click OK.

Note

User names are case sensitive. That is, user names with the same spelling but different case are permitted; for example, Johnson and JOHNSON are not recognized as duplicates.

Amending a user's details

You can change a user's name and the groups that they are a member of. The access defined by the group membership will apply the next time this user logs on.

To amend a user's details

  1. From the Users page, select Edit from the Action list for the user.
     The Set Password page is displayed.
  2. Amend or overwrite Full Name field.
  3. Select one or more Groups that this user is to be a member of.
  4. To save the changes, click OK.

Changing a user's password

If users forget their passwords or if a password is not kept secure, you can assign a new password.

To set a new password for a user

  1. From the Users page, select Set Password from the Action list for the user.
     The page is redisplayed, showing blank Password fields. The existing password is not displayed. 

    If the password policy requires a password to be changed, the label "MUST be changed" is displayed next to the user.

    Enter a new password for this user in the Password field. Confirm the password in the Verify Password field.

  2. To save the changes, click Apply. The new password will apply the next time the user attempts to log on.
     You can also specify that the user changes their password on their next login. To do this, select Must Change Password from the Action list for the user.

The preferred way to set or reset user passwords is using the UI. However, you can also change users passwords at the command line.

Changing users passwords at the command line
To reset the BMC Discovery user password at the command line

The tw_passwd utility enables you to change the password of a specified user interface user. To use the utility, enter the following command at command prompt:

tw_passwd username

where username is the name of the UI user to change.

For example:

[tideway@DE-32 ~]$ tw_passwd fred
New password:
Retype password:
Password set for user 'fred'.
[tideway@DE-32 ~]$

Note

The tw_passwd utility is for changing UI users' passwords. To change the passwords for command line users, as the root user, use the Linux command passwd. This is described in Changing the root and user passwords

Generating an API token for an account

API Access and Event Source accounts do not have passwords, they use a generated token to enable external clients to make API calls using that account. You can also create a token for any other user account, with the exception of the system user, so that API calls can be made using that account.

API Access users can access the REST API using a token. To connect to the CSV or XML export APIs, a user must connect with a username and password.

To generate an API token for a user

  1. From the Users page, select Generate API Token from the Action list for the user.
    A dialog is displayed containing the token.
    API_token.png
  2. Copy the token and save it for use by external clients.

You cannot revoke an API token for an existing user. You must delete the user.

Preventing a user logging in with a username and password

You might want to prevent a user logging in with a username and password, for example, if the user account is authenticated using a single sign-on system. To do this:

From the Users page, select Deny password login from the Action list for the user account.

Reactivating a user account

If a user's account is not used for a specified period of time, their account is deactivated. 

See Managing-security-policies for information about configuring account deactivation.

To reactivate a deactivated user account, you must be logged in as a member of the unlocker group, and reactivating user accounts must be enabled in the Security Policy page. You can also deactivate a user's account manually.

A deactivated account is never automatically reactivated.

To reactivate a locked user account

  • Check that account reactivation is allowed. (see Managing-security-policies)
  • From the Users page, select Reactivate from the Action list for the user account to be reactivated.

Unblocking a user account

If a user unsuccessfully attempts to log in to their account more than the account blocking threshold, their account is blocked. See Managing-security-policies for information about configuring account blocking.You must be logged in as a member of the unlocker group. 

To unblock a locked user account

From the Users page, select Unblock from the Action list for the user account to be reactivated.

Deleting a user

You can delete any existing user except for yourself or the default system-created users.

To delete an existing user

From the Users page, select Delete from the Action list for the user.

User permissions

User permissions in BMC Discovery are additive. When you grant a user an additional permission (through adding the user to another group), that permission is added to the user's existing permissions. For example, if you grant appmodel permissions to a user with discovery permissions, the user gains no additional permissions because all of the appmodel permissions were already granted in the discovery permission set. Similarly, you cannot add readonly permissions to a system user in the hope of achieving a read-only system user.