Creating and modifying users

A user is any person to whom you provide permission to access BMC Helix Innovation Suite. Users can be members of multiple groups or no group at all. Users in BMC Helix Innovation Suite range from an administrator who maintains the entire system, to employees who submit requests or view data.

BMC Helix Innovation Suite includes one out-of-the-box, predefined user named Demo, with administrator access and permissions. You can use the User form via Mid Tier to rename this user and create additional users.

Users are assigned to groups according to their need to access information.

Use the information in the following sections to create, modify, or delete users and to enable users to change their information. You can apply the three Fixed licenses included with BMC Helix Innovation Suite to new users.

BMC Helix Innovation Suite

User form access

BMC Helix Innovation Suite provides the following access to User form:

• The Public group has Hidden permission to the User form.
• The Dynamic Group Access field on the User form provides users read permission to the following fields: Login Name, Password, and Request ID. These permissions are automatically given to all new users that the administrator creates.

If you customized the User form, these changes might affect your customizations.

These changes enable you to enforce a password policy. For more information, see Enforcing-a-password-policy-for-BMC-Helix-Innovation-Suite.

To create users

1. Log in to Mid Tier.
   If you are the first administrator to log in, you must log in as an administrator and leave the Password field empty. 
   AR System user names are case-sensitive.
   During initial installation, the Demo user is installed as Administrator without a required password. To keep AR System secure, add a password for this user as soon as possible.
2. From the AR System Administration Console, select System > Application > Users/Groups/Roles > Users.
   The User form opens in Search mode.
   
3. Select Actions > New to switch to New mode.

4. Enter the information in the appropriate fields:

   Field	Description
   User Information
   Login Name	Identify the name that the user enters into the User Name field when logging in to BMC Helix Innovation Suite. The name can be the same or different than the user name by which this user is known to the underlying operating system. The dynamic group with an ID of 60988 has read access to this field, enabling the user to view this field if a password policy is established. For more information, see Enforcing-a-password-policy-for-BMC-Helix-Innovation-Suite. You cannot use the word System as a user.
   Full Name	Full name of the user. By default, this name appears in the Results pane of the User form when users perform a search operation.
   Password	Identify the password that the user enters when logging in to BMC Helix Innovation Suite. This field's length is 30 bytes, so you can enable users to enter as many as 30 bytes. Users cannot enter a 28-character password, or an error will occur during authentication. The Password field is encrypted into the database by using a one-way hash (SHA-1) so that unauthorized users cannot retrieve passwords in clear text, for example, to log in to applications. To enhance system security, select a password that is different from one used for another purpose. If passwords that are not secure are needed for applications, store the password in a character field rather than the Password field (field 102). If the Password field is left blank, the AR System server does not validate the password with the user's Windows or UNIX password, unless you configure the server to cross-reference a blank password. For more information, see Cross-referencing-blank-passwords. The dynamic group with an ID of 60988 has read access to this field, enabling the user to view this field if a password policy is established. For more information, see Enforcing-a-password-policy-for-BMC-Helix-Innovation-Suite. Important: While creating a user via the Java driver or Create Entry from API program, if you add leading and trailing spaces to a password string in the Password field, the leading and trailing spaces are retained after you save the user details. For example, if you set the password as " password ", the password gets saved as " password ". However, while creating a user via Mid Tier, if you add leading and trailing spaces to a password string in the Password field, the leading and trailing spaces are omitted after you save the user details. For example, if you set the password as " password ", the password gets saved as "password". Therefore, the users created via Create Entry from API program with leading and trailing spaces in their passwords face issues when they log in via Mid Tier. Because Mid Tier sends the passwords to the server for validation after removing the spaces, they do not match the ones that are stored with spaces.
   Group List	The access control groups to which the user belongs. If you leave this field empty, the user has only basic Submitter, Assignee, Assignee Group, or Public permissions. You must specify the groups by name or ID, as defined in the Group form. User permissions are determined in the Group List field of the User form. If you later change the Group ID for a group, the users originally assigned to the group are still attached to the old ID. If no group has the old ID, these users lose access to any AR System object for which they do not have permission through another group. If you choose to enter information in this, the field capacity is limited to 4000 bytes, including expanded strings. For more information, see User-and-group-access. If you create multiple groups with the same ID, the User form displays the first available group name for the selected group id. Important: To provide administrator permissions to a user, add the Administrator group to the Group List field. Only an administrator can access the Group List field. The following error is displayed if a non-admin user tries to access the Group List field: You have no access to form :Group (ARERR 353)
   Computed Group List	The names of the computed groups to which the user is a member. The members of a computed group are determined by the server based on the groups that the user belongs to. This is a display-only field, and the field ID is 121. To search in this field in a query-by-example, enter the ID number of a computed group. To enter more than one computed group ID, include semicolons after each ID. You must enter the computed group IDs in the same order in which the names appear in the Computed Group List field when the user's record is displayed. In the following examples: The ID for Computed Group 1 is 5678. The ID for Computed Group 2 is 6789.  You can also use the Advanced Search bar with the LIKE operator. Include the semicolon with the complete ID.  To search for users who are members of Computed Group 1, enter:  'Computed Group List' LIKE "%5678;%"  You can also enter a partial ID for the computed group.  To search for users who are members of both Computed Group 1 and Computed Group 2, enter:  'Computed Group List' LIKE "%56%" AND 'Computed Group List' LIKE "%89%"
   License Type	Types of license that the user is assigned: Read Fixed Floating Restricted Read Bundled The default is Read. For descriptions of these license types, see License-types-for-user-access-to-AR-System-objects-and-features. Important: Users with a Read license cannot modify their own records. Users with administrator permissions and AR Fixed license can access BMC Helix Innovation Studio and Developer Studio. To add administrator permissions, add the Administrator group to the Group List field. Users with business analyst permissions and AR Fixed license can access BMC Helix Innovation Studio and Developer Studio applications that they can access and tailor. To add business analyst permissions, add the Business Analyst group to the Group List field. Users with AR Fixed, AR Floating, Application Fixed, Application Floating, or Read license can use the BMC or Partner applications deployed on BMC Helix Innovation Studio.
   Application License	The applications that you want the users to access. For example, BMC Helix Business Workflows User Fixed, where BMC Helix Business Workflows is the name of the application and User Fixed is the type of license. AR System automatically populates this field according to information entered in the application's People form. For more information about adding login IDs and access rights, see Updating people information. You can select from the following license types: 2007 Pricing Model 2015 Pricing Model BMC Remedy Applications Helix Service Management Suite Important: You can only view this license type if you have opted in for Helix Service Management Suite licenisng model. To opt-in for this model, contact BMC SaaS Operations. To opt for this model, contact BMC SaaS Operations. For more information, see Licensing overview.  ITSP Important: The following list describes the licenses you can assign to users to access BMC Helix Innovation Suite and its applications:  Fixed licenses with administrator permissions—The user can access and use BMC Helix Innovation Studio and create and modify codeless applications in BMC Helix Innovation Studio.  Floating licenses without administrator permissions—The user can access and use BMC Helix Innovation Studio and can access, create, modify, and delete the BMC Helix Innovation Studio application data.  Read licenses without administrator permissions—The user can access and use BMC Helix Innovation Studio and can access, create, modify, and delete their BMC Helix Innovation Studio application data.    Restricted read licenses without administrator permissions—The user can access and use BMC Helix Innovation Studio and can access, create BMC Helix Innovation Studio application data. The users cannot modify or delete any BMC Helix Innovation Studio application data. Floating, read, or restricted read licenses—The user can use the deployed BMC or Partner applications.  Fixed licenses with business analyst permissions—The user can access and tailor the BMC Helix Innovation Studio applications.  Fixed, Floating, or Read licenses—The user can access custom applications. Custom applications do not require any application license.
   Default Notify Mechanism	Method by which the user is notified for the Notify filter and escalation actions when User Default is specified. The default setting on the User form is Alert.
   Email Address	Email address used to notify the user if email is the method for notification. Important: You must associate only one Email Address with one user record to ensure that: The email-based approvals work correctly. The outgoing emails are sent without any issues.
   Status	Defines the status of the user account. This field is for information only. This field is set by a workflow if you set a password policy. For more information, see Enforcing-a-password-policy-for-BMC-Helix-Innovation-Suite. The options are: Current—The account is in use. Disabled—The account is no longer in use.
   Allowed Client Types	Allows the user to make API calls by using only the client types mentioned in the Allowed Client Types field. To enter more than one client type ID, include semicolons after each ID. In the following example, the user can make an API call only to Mid Tier, Developer Studio and BMC ProactiveNet Performance Management. If the user makes an API call to the Client Type not assigned in the Allowed Client Types field, the API call fails with the following error: ARRER 8937: You do not have permission to the client operation. If the Allowed Client Type field is left blank, the user can make API calls by using any client type. For more information about the list of Client types, see Client-Type-IDs-for-API-programs.
   Password Management
   Disable Password Management For This User	Disables password management for the user. If this check box is selected while updating the User Password Management Configuration form, the user is not affected. For more information about password management, see Enforcing-a-password-policy-for-BMC-Helix-Innovation-Suite.
   Dynamic Group Access	The dynamic group to which the user belongs.
   Last Password Change for Policy	The last time the password was changed. BMC Helix Innovation Suite automatically updates this field when a user's password is changed.
   Account Disabled Date	The date the account was disabled, if applicable.
   Force Password Change on Login	The number of days before which the user receives a warning message to change the password. The next time the user logs in, the user is prompted to change the password. After the password is changed, the check box in the User form is automatically cleared through the workflow.
   Number of Days Before Expiration	The number of days before a user's password expires if it is not changed.
   Number of Warning Days	Indicates when a user receives a warning message before the password is set to expire unless changed.
   Days After Expiration Until Disablement	The number of days after which a user's account is disabled if the password is not changed.
   System Information
   Datatag	Tags the data record, if needed. For example, it can store the name of the application which uses this group. This field is optional.
   Business Analyst	Assign the business analyst role while creating users or while updating an existing user. Business analysts modify application definitions within applications and libraries for which they have access.
   Bundle List	Select the bundles or applications that the business analyst can access and tailor.

5. Save your changes.

Adding and modifying user information

In BMC Helix Innovation Suite, you can have registered users and guest users. Each type of user has different privileges within the system, as discussed in the following sections. 

You enter data in the User form to define the components that work together to determine each user's access to BMC Helix Innovation Suite: login name, password, group membership, and license type. You also define notification information for each user in this form. For more information, see Restrictions for users and groups. The following image shows the fields in the User Information section of the User form:

To grant permission to a user for BMC Helix Innovation Suite objects, add the user to the groups to which you want to give them access. To add a user to a group, select the appropriate group from the Group List menu on the User form. Use spaces to separate multiple group names in the Group List field. You can select from the reserved BMC Helix Innovation Suite groups.

If the group information is returned through external authentication, you cannot be a part of any administrator group. You can be a part of the administrator group only from the User form. For information, see Setting-external-authentication-options and Specifying-internal-and-external-authentication.

You can get group information from external authentication only if the Group List is NULL.

For more information, see User-and-group-access.

Restrictions for creating users and groups

You cannot create other users with more administrative rights than yourself, and you cannot modify your own rights.

These restrictions help you to prevent the following conditions:

• Creation of an administrative user by a non-administrative user.
• Creation of an administrative user with access to more overlay groups than the administrative user who created them.

The following restrictions are applied before and after you create or modify any user in the User and Group form.

• Only an administrator can create, modify, or delete users belonging to another Administrator, Sub-Administrator, Struct Admin, or Struct Sub-Admin groups. 
  A user must have Group ID 1 (AR Administrator) in the group list to create/modify/delete another user with any of the four administrative class groups in their group list.

• No Admin user can create or modify a user (themselves included) with lesser administrative restrictions than the user making the modification. 
  For example, an administrator user with Overlay Group 1 cannot create or modify users with no overlay groups. Consider a situation where you have created an ABCGroup with an Overlay Group set to 1. User ABCAdmin is part of Administrator group and ABCGroup. However, ABCAdmin is restricted only to the ABCGroup. ABCAdmin can change (create/modify/delete) any user belonging only to the ABCGroup. For more information about creating a group as an overlay group, see Creating-and-managing-access-control-groups.
  Additionally, a user cannot create another admin user with permission to modify base objects if they themselves do not have the necessary permissions. 

  Best practice
  We recommend that you restrict your users to make modifications only to custom objects and overlays.

• Only an unrestricted administrator can create, modify, or delete groups that restrict a user’s administrative capabilities.
• Only an administrator with no overlay specific groups can create, modify, or remove overlay specific groups.

Restrictions for editing the service account details

Only the BMC SaaS operations team can edit the service account details on the User form.  The AR System administrator cannot edit service accounts by using the User form. 

The following warning is displayed when you attempt to edit service account details:

To modify user information

1. From the AR System Administration Console, select System > Application > Users / Groups / Roles > Users.
   The User form opens in Search mode.
   
2. Click Search to retrieve a list of defined users.
3. Select the appropriate user from the list.
4. Modify information in the appropriate fields. 

5. Save your changes.

   Warning

   If you modify the Administrator's Fixed license or Administrator group membership before you create another Administrator user, you lose administrator privileges.

To delete users

1. From the AR System Administration Console, select System > Application > Users / Groups / Roles > Users.
   The User form opens in Search mode.
2. Click Search to retrieve a list of defined users.
3. Select the appropriate user from the list.
4. Select Actions > Delete.
   A confirmation box appears to verify that you want to delete the selected users.
   

5. Click OK.

   Warning

   If you delete the Administrator before you create another Administrator user, you lose administrator privileges.

To enable users to change user record information

1. Open the User form in Developer Studio.
   
2. Make the User form's Assigned To field visible by performing the following steps:
    
   By default, the field is hidden.
   1. Double-click the Assigned To field to open the field Properties dialog box.
      
   2. On the Display tab, clear the Hidden check box.
3. Grant the Assignee group Change permission for the Password, Default Notify Mechanisms, or Email Address fields.
4. Grant public Visible permissions.
   See Field-permissions.
5. Click Save and close Developer Studio.
6. In a browser, open the AR System Administration Console, and select System > Application > Users / Groups / Roles > Users.
   The User form opens in Search mode. The Assigned To field is visible in the User form.
7. Retrieve a list of defined users.
8. Select the appropriate user from the list.
9. Copy the Login name to the Assigned To field to make the user the Assignee.
   By using the Assignee group, you can enable the user to modify the user's password, default notification mechanism, or email address.
   You can also make the user the Submitter by entering the same name in the Login name field and in the Creator field.
10. Click Save.