Roles and permissions

User roles and permissions let you control how people access and interact with the BMC Helix ITSM. This section describes all the supported user roles and permissions.

Application administrator

In BMC Helix ITSM, application administrator is an individual responsible for the management of the BMC Helix ITSM applications. However, application administrator is not a user role. Instead, a sample administrator user is provided with the capabilities that include customizing forms, setting access rights for users, and creating configurations.

User permissions

You assign user permissions from the People form. There are different aspects to the user permissions, which together make up the permission model:

Permission groups, which control access to basic application, module, and subcomponent functions.
Support groups, which control access to data.
Functional roles, which provide extended access to application, module, and subcomponent functions.

AR System permission groups

The AR System Administrator permission is used in BMC Helix ITSM applications. This permission grants administrator access to BMC Helix ITSM applications through Developer Studio. Administrator responsibilities include installing and maintaining BMC Helix ITSM applications and making changes within BMC Helix ITSM.

This permission is generally reserved for developers who need access to AR System and system administrators who need access to BMC Helix ITSM system forms. This permission does not grant user access to forms. Additional application and module permissions are required for form access. For information about license types and applicable permissions, see:

Activating application licenses

License types for users to access AR System server

How licenses relate to permissions

In BMC Helix ITSM, the permission groups control what areas of the application a user can access. Each permission group can access only certain areas of the application. A user can belong to more than one permission group. Typically, you assign permissions groups to the users in your IT organization based on their roles and responsibilities. The combinations suggested in the following topics are defined by ITIL as typical and are used by the BMC Service Management Process Model.

Key permission groups

When you assign permissions to someone, it is important to use only the minimum number of permissions that allow that person to perform their job.

Best practice
We recommend you use only one permission group for any given role.

Key user permission groups for each application

The following table illustrates the most commonly used permission groups needed by users to perform their duties. For a detailed description of all of the permission groups that are available for a particular application, click the link in the Application column.

Application permissions	Key permission groups
Asset-Management-user-roles-and-permissions	Asset Admin or Asset User Contract Admin or Viewer Purchasing User Receiving User
Change-Management-user-roles-and-permissions	Infrastructure Change Master, User or Viewer
Release-Management-user-roles-and-permissions	Release Master, User or Viewer
Incident-management-user-roles-and-permissions	Incident Master, User, or Viewer
Problem-management-user-roles-and-permissions	Problem Master, User or Viewer
Service-Request-Management-user-roles-and-permissions	Business Manager Service Request User Work Order Master
Knowledge-Management-user-roles-and-permissions	Knowledge Admin, User or Viewer
Task-Management-permissions	Task User (This is only required in certain permission combinations.

Subcomponent permission groups

Subcomponents contain features or functionality that are shared among some, or all of the applications. For example, the Task Management subcomponent provides task management functions for BMC Helix ITSM: Change Management and for BMC Helix ITSM: Service Desk:

Subcomponent	Permissions
Financial-permissions	Cost Manager Cost User Cost Viewer
Return-on-Investment-permissions	ROI Admin ROI Viewer
Work-info-permissions	<Application> Master <Application>User <Application> Submitter <Application> Viewer

BMC Helix ITSM user and group synchronization to BMC Helix Portal

For the users to use their existing credentials to authenticate into BMC Helix Portal, the BMC SaaS Operations team needs to perform some configurations to sync the BMC Helix ITSM users into BMC Helix Portal. For more information, see User identities in BMC Helix Portal and contact BMC Support.

Administration and process owner permissions

The remaining permissions control access to the application configuration functions and are typically assigned either to an Application Administrator or to an Application Process Owner. These permissions are described in the following table:

Application permissions	Application Administrator/Process Owner permissions
Asset-Management-user-roles-and-permissions	Asset Config Contract Config
Change-Management-user-roles-and-permissions	Change Config
Release-Management-user-roles-and-permissions	Release Config
Incident-management-user-roles-and-permissions	Incident Config
Problem-management-user-roles-and-permissions	Problem Config
Service-Request-Management-user-roles-and-permissions	Business Analyst Entitlement Administrator Request Catalog Manager SRM Administrator Work Order Config
Requester console	Requester Console Config Requester Console Master Summary Definition Config
Knowledge-Management-user-roles-and-permissions	Knowledge Config
Financial	Cost Manager
Foundation module permission groups	Approval Admin ASE-Administrator Command Event Master Config Categorization Admin Config Categorization User Config Group Mapping Admin Contact Location Admin Contact Organization Admin Contact Support Admin Contact People Admin Contact People HR Admin Contact People User DSL Master Licensing Notification Admin Security
Return on Investment	ROI Admin
Task Management	Task Administrator Task Application Config Task Process Config
Setting-up-BMC-Helix-Cognitive-Automation	Cognitive Service Config