Catalog roles and permissions
Licenses
Although licensing is not a component of access control, licensing can affect a user's ability to perform an operation that you grant the user permission to perform.
The following license types are used in BMC Helix Digital Workplace Catalog:
License type | Description |
|---|---|
Read | Enables users to create, search for, and display requests within their assigned permissions. This license is for end users who can only request services from the catalog in BMC Helix Digital Workplace. In Mid Tier, the Read license type is shown as Restricted Read. |
Fixed | Includes all capabilities of a Read license, and also enables users to perform administrative tasks. It is an extended license for users who manage services in BMC Helix Digital Workplace Catalog. A Fixed license is associated with a user name and is always "reserved" for that user. |
Floating | Includes all capabilities of a Read license, and also enables users to perform other tasks. It is designed for users who occasionally need to modify and save requests. Multiple users can use the same Floating licenses, one user at a time: they are available on a first-come, first-served basis. |
Bundled | Consists of a group of licenses, for a bundle of products. Bundled licenses can contain both Fixed and Floating licenses. |
Catalog roles
Out-of-the-box, BMC Helix Digital Workplace Catalog provides catalog roles that are required to perform catalog-related tasks, such as creating and managing the service catalog, entitling services to users, and so on. These roles have a one-to-one correspondence with a set of IS Personas in Mid Tier. When users are created in Mid Tier, they can be assigned an IS persona that corresponds to a catalog role. However, we recommend that you assign roles from the Catalog console.
The following graphic illustrates the relationship between users, roles, and permissions and capabilities:
The following table shows the out-of-the-box catalog application roles and the IS personas:
Role name | Role permission | Corresponding IS Persona | License1 level | Capability |
|---|---|---|---|---|
Catalog administrator | Catalog Admin | Catalog Admin |
| Catalog administrator maintains all aspects of the service catalog, which includes service templates, service level agreement (SLA) policies, cost adjustments, and fulfillment workflows. The administrator also configures service connectors and performs other system administration functions, such as managing users and assigning sub-catalogs to catalog users. For more information about this role, see Quick-start-for-catalog-administrators. |
Asset manager | Catalog Asset Manager | Catalog Asset Manager |
| Asset managers set up and manage virtual marketplaces, as a method to entitle services, bundles, and banners to users and groups. For more information about this role, see Quick-start-for-asset-managers. |
Agent | Catalog Agent | Catalog Agent |
| Service agents investigate the status of service requests and answer queries by users about their service requests. With this role, an agent can see the service requests that are created by other users. Unless they have unrestricted access, they can see the service requests of only the companies directly assigned to them. Important: Service agents no longer need Fixed licenses. |
Administrator (for internal suppliers)2 | Catalog Internal Supplier Admin | Catalog Internal Supplier Admin |
| The internal supplier administrator maintains an assigned subcatalog. The internal supplier administrator has the same service management capabilities as the catalog administrator, but without the application administration capabilities. Internal service supplier administrators approve services and publish them. Internal service supplier administrators help to populate the organization's service catalog by:
For more information about this role, see Quick-start-for-internal-supplier-administrators. |
Internal supplier2 | Catalog Internal Supplier | Catalog Internal Supplier |
| Internal service suppliers help to populate the organization's service subcatalog by:
For more information about this role, see Quick-start-for-internal-suppliers. |
Subtenant administrator | Catalog Subtenant Admin | Catalog Subtenant Admin |
| Subtenant administrator is a user that belongs to a customer organization and manages a limited number of administrative functions. They can view the services assigned to their organization, create virtual marketplaces and entitle services to the users in your organization, use reports to view the cost of services provided and the credit balance, review the statuses of service requests, and assign administrator roles to users or remove the role assignment. |
Embedded supplier | Catalog Embedded Supplier | Catalog Embedded Supplier |
| Embedded suppliers are similar to internal supplier administrators, and they help to populate the BMC Helix Business Workflows subcatalog by:
Note: Usually, only a case catalog administrator in BMC Helix Business Workflows is given this role. To learn more, see Case catalog administrator functional role. |
Allow Mid Tier access to an administrator | Not applicable | Any administrative role | Fixed | System administrators or service catalog administrators need an administrative role that allows them to log in to Mid Tier to create and manage users. |
No specified role | Not applicable | — | Read | No specified role is not a defined role. It simply means that a user is not assigned a user role. User accounts that are not given administrative capabilities can be entitled to view and request services. |
1 Except an agent role, all catalog roles require a Fixed license or a Bundled license that contains a fixed license. For the 2015 Pricing Model, Bundled licenses are the ones that do not contain the word “concurrent” in their names (Concurrent refers to the Floating license type). Standard users for service requests only need a Read license.
2 Administrators (for internal suppliers) and Internal suppliers are subcatalog roles.
System notification user
BMC Helix Digital Workplace requires a service level user that runs background tasks such as pushing notifications to end users when catalog requests are being processed. You must create the user account that will perform these actions, and provide the credentials for this user when you enable the enhanced catalog explained in Enabling-and-configuring-the-enhanced-catalog-for-BMC-Helix-Digital-Workplace.. The notifications are sent to the BMC Helix Digital Workplace application. To send notifications by email, you must also complete the configuration described in Configuring-email-notifications.