Enabling role-based access control
As a tenant administrator, you can control access to services and their related data in BMC Helix AIOps by enabling role-based access control (RBAC). By assigning services to user groups through authorization profiles, you ensure that users can view and investigate only the data relevant to their responsibilities. It helps teams focus on the services they support, reduces irrelevant alerts, ensures ownership-based visibility, and prevents access to services outside a user’s responsibility.
Authorization profiles are configured in BMC Helix Operations Management and determine which services a user can access. Based on these service assignments, related data, such as situations, events, predictions, and dashboard insights, are automatically filtered across BMC Helix AIOps, BMC Helix Operations Management, and BMC Helix Dashboards.
Role-based access control is implemented through service-level access defined in authorization profiles.
Services are assigned to user groups.
Users inherit access through their group membership.
Assigned services define the scope of visibility.
If a service is not assigned to any user group, it is visible only to administrators when enforcement is enabled. BMC Helix AIOps uses this scope to determine the data available to each user.
Before you begin
Ensure that users are created in BMC Helix Portal. For more information, see Setting up user groups.
Configure authorization profiles in BMC Helix Operations Management, to:
Define which objects (such as services and devices) a user group can access
Associate authorization profiles with one or more user groups
Ensure that only permitted data is visible to the users of those groups
For more information, see Configuring authorization profiles.
To enable role-based access control
On the BMC Helix AIOps console, click Configurations, and then click Manage Product Features.
On the Manage Product Features page, enable Role-based access control.
After RBAC is enabled, access to services, situations, and events is controlled based on authorization profiles. If this option is disabled, authorization profiles are not enforced, and all users can view all services and related data.
Where role-based access control is applied
After RBAC is enabled and authorization profiles are configured, access to data is controlled across BMC Helix Operations Management and BMC Helix AIOps.
The following table shows which UI areas RBAC affects and how it affects data visibility across these products.
UI location | Product | Behavior |
|---|---|---|
Overview | BMC Helix AIOps | Displays service health summaries and insights only for the assigned services. |
Services | BMC Helix AIOps | Displays only the services assigned through authorization profiles in the heatmap or tile view. |
Situations | BMC Helix AIOps | Displays only the situations associated with the assigned services. |
Predictions | BMC Helix AIOps | Displays predictions only for the assigned services. |
Event list | BMC Helix Operations ManagementBMC Helix AIOps | Displays only the events related to the assigned services. |
Advanced filters (Events) | BMC Helix Operations Management | Returns only events related to the assigned services when filters are applied. |
Dashboards | BMC Helix Dashboards | Displays service metrics and situation data only for the assigned services. |
How access works in different scenarios
The following table describes how access is applied in different contexts:
Context | Behavior |
|---|---|
Service access scope | Services define the access boundary for related data. Data associated with the assigned services is available within the user’s context. |
Operator access | Operators can access only the services assigned to them. All investigations and analyses are limited to those services. |
Administrator access | Tenant administrators are not restricted by service assignments and can access all services. |
Multi-service situations | A multi-service situation involves multiple services. Investigation includes only the data associated with the assigned services. Other services are visible and are included for context, but are not available for further analysis. |
Parent and child services | Parent and child services are evaluated independently. If a user has access to a parent service but not to a child service, the parent remains visible, and restricted child services remain hidden or inaccessible. |
Partial data scenarios | In some views, the available information might represent a subset of the complete data. This occurs when related services fall outside the assigned service scope. |
Cross-product service visibility
| Role-based access control provides consistent visibility across products. If a user can view a service in one product, the same service set is available across other service-centric views and dashboards based on the same access rules. |
Scenario: Role-based access control by using authorization profiles
At Apex Global, Susan is the tenant administrator responsible for managing access across BMC Helix AIOps. She ensures that operators can access only the services relevant to their responsibilities.
Joseph and John are operators with restricted access.
Joseph is responsible for database services.
John manages operating system services.
Susan configures authorization profiles in BMC Helix Operations Management, and then enables the Role-based access control option in BMC Helix AIOps.
Susan configures authorization profiles to control which services each operator can access. After the profiles are saved, related situations and events are automatically filtered based on the assigned services.
To configure authorization profiles, Susan performs the following steps:
Susan logs in as a tenant administrator to BMC Helix Operations Management.
She navigates to Administration > Authorization Profiles.
She creates or updates the authorization profile for the operator user group that includes Joseph.
She selects five database services, assigns them to the profile, and saves the configuration.
Susan creates a separate authorization profile for John’s OS operations user group.
She selects three operating system services for John and saves the profile.
The permissions are applied immediately after the profiles are saved.
The following database services are assigned to Joseph:
The following operating system services are assigned to John:
To validate access for restricted users
Joseph logs in as an operator. On the Services page, he can see only the five database services assigned to his authorization profile. Operating system services are not visible.
Joseph opens one of the permitted database services. On the service details page, he can view service health, associated situations, and business impact (where applicable).
In Situations, only situations related to Joseph’s permitted database services are listed. He drills into a situation to view its details.
In Events, only events associated with the permitted database services are displayed.
John logs in as an operator. On the Services page, he can see only the three operating system services assigned to his authorization profile. John does not see any services, situations, or events outside the operating system services relevant to his role.
John opens one of the permitted operating system services. On the service details page, he can view service health, associated situations, and business impact (where applicable).
In Events, only events associated with the permitted operating system services are displayed.
