This version of the software is currently available only to customers in the Controlled Availability (CA) program.

Security planning

BMC Helix Data Manager provides a high level of security safeguards and measures across its components.

Related topics

Roles and permissions

Registering-source-and-target-systems

BMC Helix Data Manager Workbench security

A Tomcat JDBCRealm controls access to the BMC Helix Data Manager Workbench application. User accounts are stored in the BMC Helix Data Manager Repository. To ensure passwords are secure, all passwords are SHA-512 hashed.

AR System connection details

Access to AR System connection details is available only to those with the BMC Helix Data Manager_system_registrar privileges. In addition to this, the passwords for those systems are stored using a public/private key structure where the BMC Helix Data Manager Workbench knows the public key, but only the BMC Helix Data Manager Engine knows the private key. In this way, should the BMC Helix Data Manager Workbench or the Repository database be compromised, access to the AR System credentials will not be available.

Access to your cloud systems during migration

All mid tiers, AR System servers, and databases are within the exclusive control of BMC SaaS Operations, and the project team and customer cannot directly access them at any time.

For the duration of the onboarding project, the project team will have full administrative control over the development database to perform the following tasks:

  • Install BMC Helix Data Manager
  • Import data by using BMC Helix Data Manager
  • Manage the file system
  • Perform database backups and restores

Additionally, the project team can also stop and start the development AR System server through an i.onbmc request. For more information about i.onbmc, see BMC Helix support overview.

BMC Helix Data Manager can only connect to the development database on the onboarding VM. You cannot use BMC Helix Data Manager to migrate data directly to the production or QA systems. To populate these systems with data, ask BMC SaaS Operations to copy the development database to the other environments. This process involves an update of server references and a database backup and restore. 

Database privileges

BMC Helix Data Manager performs all interactions with the BMC Helix ITSM systems at the database level, except for building BMC Helix ITSM workflow, such as SLA Targets. This optional function requires an ARS API connection.

If you are using BMC Helix Data Manager in Analysis Only mode, you can use any database account that has read access to the underlying database, for example, the default ARAdmin account.

To perform migration or deletion actions using BMC Helix Data Manager, you must create a dedicated database account. The dedicated account must have functions and procedures that support the safe manipulation of BMC Helix ITSM data. The following sections summarize the database privileges required for BMC Helix ITSM systems with Oracle, MS SQL, and Postgres databases.

To create a user to access the database from BMC Helix Data Manager, see Registering-source-and-target-systems.

Oracle

The integration scripts that are run when registering the source and target systems create a dedicated BMC Helix Data Manager user with the following privileges:

  • connect, resource;
  • create synonym;
  • create any view;
  • select any table;
  • update any table;
  • delete any table;
  • insert any table;
  • create any directory;
  • drop any directory;
  • select any dictionary to cmt;

A few database functions are also created to support data manipulation.

Microsoft SQL

A BMC Helix Data Manager database authenticated login is created (by BMC Helix Data Manager or by manual integration scripts included with the installation). For each database that BMC Helix Data Manager will have access to, you must create a BMC Helix Data Manager user with the following database-specific roles:

  • datareader
  • datawriter
  • ddladmin
  • bulkadmin

A few database functions are also created to support data manipulation.

Postgres

A dedicated Postgres user is created (by BMC Helix Data Manager or by manual integration scripts included with the installation). This user does not require superuser privileges. However, on each AR System database for BMC Helix Data Manager, GRANT ALL privileges are required.

A few database functions are also created to support data manipulation.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*