Setting up access control

As an administrator, set up users and user groups in BMC Helix Portal and set up authorization profiles in BMC Helix Operations Management to manage access control.

Authorization profiles

Use BMC Helix Operations Management to manage authorization profiles so that the administrators and non-administrator users can successfully perform all the activities within the defined organizational boundaries while using the console. BMC Helix Operations Management uses BMC Helix SSO to authenticate users. With authorization profiles, you can implement role-based and data-level access control.

Authorization profiles are a grouping of the following types of information that is required to provide a user-level permissions and data-level permissions:

Item	Type of access	Benefit
User groups	Role-based access control	Allows you to control permissions to the product features (based on user role) by assigning user groups to the authorization profile.
Objects	Data-level access control	Allows you to control access to data at multiple levels by assigning the following objects to the authorization profile: PATROL solutions: Enables you to control access to PATROL solutions added while you are configuring monitor policies. PATROL Agent ACLs: Enables you to control access to the list of PATROL agents grouped while configuring PATROL Agent ACLs. Devices: Enables you to control access to the list of devices from which event data is collected. Groups: Enables you to control access to groups of entities (or resources) such as devices and events by configuring groups. Services: Enables you to control access to various services in your infrastructure. Important: This option is available under controlled availability to select customers.

Authorization profiles associate users who belong to one or more user groups with specific objects. By default, a user who is a member of the Administrators user group can create, edit, and delete authorization profiles. 

Authorization profiles comprise user groups and objects, which you specify or select when creating or editing the profile.  You cannot create or modify the required components when creating or modifying an authorization profile. The following diagram and table describe the required components and show their relationship to an authorization profile. 

Component	Details
User groups	A named collection of users. You can associate multiple user groups within an authorization profile. You can also associate a user group to more than one authorization profile. If an authorization profile contains only one user group and if that user group is deleted in BMC Helix SSO, actions on the authorization profile fail. You have to edit the authorization profile to add a different user group or delete the authorization profile. Error Warning Whenever you modify the user groups from BMC Helix SSO, you must edit the authorization profile and re-associate the modified user groups. If not updated, it will result in an authentication failure of all the users who are associated with the modified user groups.
Objects	(Optional) Administrators can choose from a list of objects present in BMC Helix Operations Management and then associate the selected objects with the authorization profile:

You can create or configure the authorization profile components in any order, but you cannot create an authorization profile without them.

The following persona-based authorization profiles are available by default:

• Administrator
• Operator

For instructions on creating authorization profiles, see Configuring authorization profiles.

Users and user groups

From BMC Helix Operations Management, you cannot view, modify, or delete users and user groups. You must log into BMC Helix Portal as a tenant administrator and perform the changes.

To access BMC Helix Portal, click the link in your welcome email from BMC. 

In BMC Helix Portal, you need to assign user groups to appropriate roles to delegate access permissions to users.