User and Role Authorizations

You can create new users and roles, which enable you to limit what a user is authorized to view or change. Users are granted permissions based on their associated role.

If Role_A is authorized to view and change Folder_A and Calendar_A, then all associated users that are assigned Role_A have the same type of access to those entities.

There are three predefined roles in Control-M, as follows:

  • Administrator: Enables full access to all functionality.

  • Team Leader: Enables partial access with the ability to manage permissions for each member of the team.

  • Viewer: Enables view access only.

To configure authentication for all Control-M users, BMC recommends that you perform these procedures, in the following order:

  1. Adding a Role
  2. Creating an Internal User
  3. Creating an Administrator User
  4. Defining System Settings

You can create internal users in Control-M. However, BMC recommends that you configure a connection to an Identity Provider (IdP) or LDAP. This enables you to authenticate multiple external users with one configuration, instead of creating individual internal users in Control-M. To connect Control-M to an IdP, see Defining System Settings. After an IdP is enabled, all users are authenticated via SAML 2.0. To connect Control-M to LDAP, see Configuring Authentication with LDAP.

If you are using LDAP, the login procedure must authenticate the user against external LDAP directories. Users who are not defined as internal users must belong to groups in the LDAP directory. These LDAP groups must be associated with a role.

The following video describes User and Role Authorizations:

Adding a Role

This procedure describes how to create a role, which limits the associated users to specific authorizations and access levels.

Begin

  1. From the icon, select Configuration.

    The Configuration domain appears.

  2. From the drop-down list, select Roles.

    The Roles pane appears.

  3. Click Add Role.

    The Add Role pane appears.

  4. In the General tab, do the following:
    1. In the Role Name field, type a logical name for the role.

    2. In the Description field, type a description for the role.

    3. Do one of the following:

      • To associate users in a specific organizational group in IdP or LDAP, from the Associated with Organizational Groups drop-down list, select or search for the organizational groups in your IdP or LDAP that you want to associate with this role.

        If the list is empty, you must manually add the names of the IdP or LDAP groups: type the name of the group and click Add. The IdP or LDAP group names are case sensitive and must appear exactly as they are in the IdP or LDAP.

      • To explicitly associate a specific IdP or LDAP user, regardless of the organizational group, from the Associated with Organizational Users drop-down list, select or search for the organizational user in your IdP or LDAP that you want to associate with this role.

        If the list is empty, you must manually add the IdP or LDAP user: type the name of the user and click Add. The IdP and LDAP user names are case sensitive and must appear exactly as they are in the IdP or LDAP.

    4. From the Interface Access drop-down list, select one or more of the following applications to grant this role access to:

      • Automation API.

      • Control-M client (Desktop), Utilities, and EM API.

      • Control-M Configuration Manager.

      • Control-M Web.

  5. In the Access Control tab, select one or more of the checkboxes to give specific authorizations for this role, as described in Role Authorizations.

  6. Click Save.

Creating an Internal User

This procedure describes how to add an internal user in Control-M. User authorizations are determined by the roles that are associated with the user.

Begin

  1. From the icon, select Configuration.

  2. The Configuration domain appears.

  3. From the drop-down list, select Users.

    The Users pane appears.

  4. Click Add User.

    The Add User pane appears.

  5. In the User Name field, type the username that you want to add to Control-M.

  6. (Optional) In the Full Name and Description fields, type the full name of the user and a description.

  7. In the Assigned Roles drop-list, select one or more existing roles to assign to this user.

    Roles determine what the user has access to throughout Control-M. To create a role, see Adding a Role.

  8. Do one of the following:

    • To authenticate the user via LDAP, select the Enable External Authentication Only checkbox and define the LDAP User and Domain field by typing the domain name that hosts the LDAP servers that authenticates the Control-M/EM users in the following format:
      CN[OU]@DC

      where CN=user, OU=org_unit, and DC=domain.

      The associated LDAP group appears in the General tab of the user. You can use this information to copy the LDAP group to another user with the same attributes.

    • To authenticate the user via a password, do the following:

      1. In the Password field, define a user password .

      2. In the Password Expiration field, select one of following options:

        • Never Expires

        • Custom: Determines the number of days before the password expires.

      3. To prevent this user from logging into Control-M, select the Lock Account checkbox.

        To change the number of failed logins, you must change the NumberOfFailedLogins system parameter, as described in Control-M/EM General Parameters.

      4. To force the user to change the password, do the following:

        • To enable this option, you must first set the PasswordExpirationOnOff system parameter to 1 and the WarningPasswordExpirationDays system parameter to 10 in the CCM, as described in Control-M/EM General Parameters. Afterward, you must recycle the GUI Server.

        • At the next login, select User Must Change Password at Next Login.

  9. Click Add.

    The new user appears in the Users pane.

Creating an Administrator User

This procedure describes how to create a Control-M/EM Administrator user when the external authentication server is not available. If LDAP or Active Directory can not be connected and an emergency user is not defined, the new Administrator can log in with the authorizations and privileges of a default Administrator user.

Begin

  1. Log in to the Control-M/EM server account and run the following script:
    create_admin_account

  2. In the Control-M/EM DBO Name field, type the Control-M/EM database name (1–30 characters).

  3. In the Control-M/EM DBO Passwordfield, type the Control-M/EM password.

    If verification of the Control-M/EM DBO password fails, an error message appears and the script is aborted.

  4. At the new admin username prompt, type the name of the new user.

  5. At the new admin password prompt, type the new user password.

  6. At the new admin password verification prompt, retype the new user password.

    The new Administrator user is created.

Role Authorizations

The following table describes authorizations that you can apply to a role in the Access Control tab. All users associated with this role inherit the defined authorizations.

Authorization

Description

Planning

Determines whether access is granted to specific folders and jobs, Run as UsersClosed An OS account name that is used to execute jobs on the host., connection profilesClosed A profile that contains the connection parameters to a specific plug-in, including the hostname, port, username, and password., Service Definitions, or Promote Action.

Folders and Jobs

Defines access levels for specific folders and jobs, as follows:

  • Control-M/Server: Defines the name of the Control-M/Server that processes the job.

  • Library (z/OS): Defines the name of the library that contains the folder for the job.

  • Folder Name: Defines the name of the folder that associated users can access.

    You can define the folder name with a regular expression.

  • Access Level

    • Browse: Enables associated users to view folders.

    • Update: Enables associated users to add and edit folders.

    • Full: Enables associated users to add, edit, and delete folders.

  • Run: Determines whether associated users can runClosed A Control-M process that adds your job to the Run Queue of the day, according to automatic or manual scheduling, and which enables the job to execute after it fulfills its prerequisites. specific folders. This option is independent of the access levels. You can enable associated users to run folders on all access levels.

    This option also determines whether associated users can use the Run option in the Monitoring domain.

Job Permissions: Determines whether to enable authorizations on jobs in a specific folder, based on the Application and Sub-application criteria and according to the defined access level.

This authorization also determines whether associated users are granted access to the Folder Management tool.

Run As

Defines access to specific Run as UsersClosed An OS account name that is used to execute jobs on the host. or connection profilesClosed A profile that contains the connection parameters to a specific plug-in, including the hostname, port, username, and password. in job definitionsClosed The set of parameters that defines what the job does, when it runs, its prerequisites, and the post-processing actions that Control-M performs after the job completes execution..

  • Control-M/Server: Defines the name of the Control-M/Server that associated users can use to process jobs.

  • Run as Name or Pattern: Defines the specific or pattern-matching Run as User or connection profile names that associated users can use to execute jobs. For more information, see Pattern-Matching Strings.

    Single-host Control-M MFT connection profiles must be written to allow file transfers to and from the endpoint.

    • Run as User: Operations_*

    • MFT Connection Profile via Two Single Endpoints: CP_Accounts*+CP_Engineering*,CP_Engineering*+CP_Accounts*

      For more information, see Defining a File Transfer Job.

  • Agent or Host Group: Defines the name of the AgentClosed A Control-M component installed on a host (computer) that runs and monitors the jobs on the host. computer or host group where the job is submitted.

Service Definitions

Defines access to the Service Definitions Manager, as follows:

  • Service Name or Pattern: Defines the specific or pattern-matching service name that associated users can access. For more information, see Pattern-Matching Strings.
  • Access Level 
    • Browse: Enables associated users to view folders.

    • Update: Enables associated users to add and edit folders.

    • Full: Enables associated users to add, edit, and delete folders.

Promote Action

Determines one of the following promotion access levels:

  • None: Disenables associated users to promote.

  • Update: Enables associated users to create a promotion request, but disenables the promote and check in promotion option.

  • Full: Enables associated users to create a promotion request, use promote, and check in.

Monitoring

Determines whether to allow access to specific jobs and servicesClosed A set of workflows that serves a business purpose, and can be monitored as a single unit., Periodical Statistics, Forecast and SLA Management (BIM), archived Viewpoints, and Viewpoint Management.

Job Permissions

Determines the accessibility of the following actions and views:

  • Actions: Associated users can perform any of the following actions when they are selected:

  • View: Associated users can perform any of the following actions when they are selected:

    • Documentation

    • JCL/Script

    • Job Settings

    • Log

    • Output

    • Statistics

    • Why

You can apply one or more Including Filters and Excluding Filters to grant or remove role access to jobs based on the job attributes, operators, and values that you define, as follows:

If <Job Attribute> <Operator> <Value>

Including Filters with an Or Condition

  • If Run As Contains Billing

    OR

  • If Host/Host Groups Exactly Accounts-Agent

This including filter grants the role access to jobs when they run on the Accounts-Agentor when their Run As name contains the string Billing.

Services

Defines access to view services, perform job actions, and run, hold, and release services, as follows:

  • Service Name or Pattern: Defines the specific or pattern-matching service name that associated users can access. For more information, see Pattern-Matching Strings.

  • Drill-Down to View Jobs: Determines whether associated users can view jobs inside a service.

  • Run Orderable Services: Determines whether associated users can run a service.

  • Hold: Determines whether associated users can hold a service, which stops the service from running.

  • Resume: Determines whether associated users can release a service, which releases a hold and frees it to be run again.

  • View Orderable Services that Were Started by Other Users: Determines whether associated users can view services that users run.

Periodical Statistics

Determines one of the following Periodical Statistics access levels:

  • None: Disables associated user access to view Periodical Statistics.

  • Browse : Disables associated user access to view Periodical Statistics.

  • Full: Enables associated users to add, edit, and delete Periodical Statistics.

Forecast/SLA Management (BIM)

Determines one of the following Forecast/SLA Management reports access levels:

  • None: Disables associated user access to view Forecast and SLA Management reports.

  • Browse : Enables associated users to view Forecast and SLA Management reports.

  • Update: Enables associated users to add and edit Forecast and SLA Management reports.

  • Full: Enables associated users to delete Forecast and SLA Management reports.

Historical (Archived) Viewpoints

Determines one of the following Historical (Archived) Viewpoints access levels:

  • None: Disables associated user access to Historical Viewpoints.

  • Full: Enables associated users to add, edit, and delete Historical Viewpoints.

Public Viewpoints Management

Determines one of the following access levels for the Collections, Filters, Hierarchies, and Viewpoints managers:

  • None: Disables associated user view access to view.

  • Browse : Enables associated users to view.

  • Update: Enables associated users to add and edit.

  • Full: Enables associated users to delete.

Tools

Determines whether to allow access to Application IntegratorClosed A Control-M component that enables you to create a third-party business application integration (plug-in), and create custom job types that perform specialized tasks in your environment., CalendarsClosed A reusable job schedule that you can apply to many jobs, which enables you to perform scheduling changes from a single location., CLI Utility (Folder, Job, and Calendar Management), EventsClosed An conditional entity that creates a sequential relationship between jobs by enabling the successor job to execute after the predecessor job has executed., Global Events, Resource PoolsClosed A type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access., Lock ResourcesClosed A type of prerequisite that controls the flow of the workflow, which represents a physical or logical device that folders, sub-folders, or jobs can exclusively access or share., Workload Policies, Site StandardsClosed A set of rules that are relevant to your organization, are applied on the folder level, and determine how users must define folders and jobs., and User ViewsClosed A customization of the Control-M interface, which enables users to view specific functionality only..

Application Integrator

Determines one of the following access levels for Application Integrator:

  • None: Disables associated user access to open Application Integrator.

  • Browse: Enables associated users to view existing job types. Users cannot deploy, modify, or create new job types.

  • Update: Enables associated users to deploy, modify, and create new job types. Users cannot undeploy.

  • Full: Enables associated users to perform all actions.

Calendars

Defines access levels for specific calendars, as follows:

  • Control-M/Server: Defines the name of the Control-M/Server that processes the job.

  • Calendar Name: Defines the name of the calendar that associated users can access.

  • Access Level

    • Browse: Enables associated users to view calendars.

    • Update: Enables associated users to add and edit calendars.

    • Full: Enables associated users to add, edit, and delete calendars.

CLI Utility (Folder, Job, and Calendar Management)

Determines one of the following CLI utility access levels for folder, job, and calendar management:

  • None: Disables associated user access to the CLI utility.

  • Full: Enables associated users to add, edit, and delete in the CLI utility.

Events

Defines access levels for specific events, with an access level for each event, as follows:

  • Control-M/Server: Defines the name of the Control-M/Server that processes the job.

  • Event Name: Defines the name of the event that associated users can access.

  • Access Level
    • Browse: Enables associated users to view the event.

    • Update: Enables associated users to add and edit the event.

    • Full: Enables the associated users to add, edit, and delete the event.

Global Events

Defines access levels for specific global events, with an access level for each global event, as follows:

  • Prefix: Defines the name of the global event prefix that the user has access to.

  • Access Level

    • Browse: Enables associated users to view global events.

    • Update: Enables associated users to add and edit global events.

    • Full: Enables associated users to add, edit, and delete global events.

History Reports

Determines one of the following access levels to History Reports:

  • None: Disables associated user access to History Reports.

  • Full: Enables associated users to add, edit, and delete History Reports.

Lock Resources

Defines access levels for specific Lock Resources, with an access level for each Lock Resource, as follows:

  • Control-M/Server: Defines the name of the Control-M/Server that processes the job.

  • Name: Defines the name of the Lock Resource that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the Lock Resource.

    • Update: Enables associated users to add and edit the Lock Resource.

    • Full: Enables the associated users to add, edit, and delete the Lock Resource.

Pool Variables (API only)

Defines access levels to Named Pool variables via Control-M Automation API commands, as follows:

  • Control-M/Server: Defines the name of the Control-M/Server that processes the job.

  • Variable Name: Defines the name of the Named Pool variable.

  • Access Level

    • Browse: Enables associated users to view the Named Pool variable.

    • Update: Enables associated users to add and edit the Named Pool variable.

    • Full: Enables associated users to add, edit, and delete the Named Pool variable.

Reports

Determines one of the following access levels to Reports:

  • None: Disables associated user access to Reports.

  • Full: Enables associated users to add, edit, and delete Reports.

Resource Pools

Defines access levels for specific Resource Pools, with an authorization level for each Resource Pool:

  • Control-M/Server: Defines the name of the Control-M/Server that processes the job.

  • Name: Defines the name of the Resource Pool that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the Resource Pool.

    • Update: Enables the associated users to add and edit the Resource Pool.

    • Full: Enables the associated users to add, edit, and delete the Resource Pool.

Secrets

Defines access levels to specific Automation API Config secrets in the JSON, with an access level for each secret, as follows:

  • Secret Name: Defines the name of the secret that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the API secret.

    • Update: Enables associated users to add and edit the API secret.

    • Full: Enables the associated users to add, edit, and delete the API secret.

After you update the role, you must regenerate an API token to use the updated authorizations, as described in Creating an API Token.

Site Standards

Defines access levels to specific Site Standards, with an access level for each Site Standard, as follows:

  • Site Standard Name: Defines the name of the Site Standard that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the Site Standard.

    • Update: Enables associated users to add and edit the Site Standard.

    • Full: Enables associated users to add, edit, and delete the Site Standard.

  • Site Standard Policy Access Level: Determines one of the following access levels for a specific or pattern-matching Site Standard Policy name:

    • Browse: Enables associated users to view the Site Standard Policy.
    • Update: Enables associated users to add and edit the Site Standard Policy.
    • Full: Enables associated users to add, edit, and delete the Site Standard Policy.

SLA Management Reports

Determines one of the following access levels to SLA Management Reports:

  • None: Disables associated user access to SLA Management Reports.

  • Full: Enables associated users to add, edit, and delete SLA Management Reports.

User Views

Defines access levels to specific user views, with an access level for each user view, as follows:

  • User View Name: Defines the name of the user view that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the user view.

    • Update: Enables the associated users to add and edit the user view.

    • Full: Enables the associated users to add, edit, and delete the user view.

Workload Policies

Defines access levels to specific Workload Policies, with an access level for each Workload Policy, as follows:

  • Workload Policy Name: Defines the name of the Workload Policy that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the Workload Policy.

    • Update: Enables associated users to add and edit the Workload Policy.

    • Full: Enables associated users to add, edit, and delete the Workload Policy.

Configuration

Enables Administrators to delegate control to users and enable them to perform specific administrative tasks on Agents, plug-insClosed A Control-M component that extends functionality to third-party applications like Hadoop or SAP and can be integrated with other jobs in a single workflow., and connection profilesClosed A profile that contains the connection parameters to a specific plug-in, including the hostname, port, username, and password.. Users can create, configure, and monitor their resources, which eliminates the dependencies on the Control-M Administrators. Control-M Administrators can restrict user access and control over their defined resources and hide other resources in the environment.

Admin Management

Defines access levels to the following Administrator management categories:

  • Authorizations/Users & Roles: Enables associated users to access other user authorization settings in Control-M/EM, as follows:

    • None: Disables associated user access to view other users.

    • Browse : Enables associated users to view other users.

    • Update: Enables associated users to add and edit other users.

    • Full: Enables associated users to delete other users.

  • Configuration: Enables associated users to access Control-M/EM, Control-M/Server, Agent, and Agentless Host components, and notification destinations, as follows:

    • None: Disenables associated users to view components.

    • Browse : Enables associated users to view components.

    • Update: Enables associated users to add and edit components.

    • Full: Enables associated users to and delete components and manage notification destinations.

  • Database Maintenance: Enables associated users to check database space and extend the database size, as follows:

    • None: Disenables associated users to access Database Maintenance.

    • Browse : Enables associated users to check database space.

    • Full: Enables associated users to extend database size.

  • Operation: Enables associated users to accessauthorized SSH known hosts, and enables users to start, stop, recycle, and ignore components, and convert Agents to Agentless Hosts, as follows:

    • None: Disables associated user access to Operation actions.

    • Update: Enables associated users to start, stop, recycle, and ignore components.

    • Full: Enables associated users to start, stop, recycle, and ignore components.

  • Promotion Rules: Enables associated users access to define Promotion Rules.

    • None: Disables associated user access to Promotion Rules.

    • Full: Enables associated users to define Promotion Rules.

  • Security: Enables associated users to access SSH keys and Control-M/Server users and roles, and enables users to create, edit, copy, export, test, and delete plug-in connection profiles, as follows:

    • None: Disables associated user access to Security.

    • Browse : Enables associated users to view Control-M/Server users, roles, and connection profiles.

    • Update: Enables associated users to add and edit Control-M/Server users, roles, and test connection profiles.

    • Full: Enables associated users to do the following:

      • Delete Control-M/Server users and roles.

      • Add, edit, delete, and duplicate centralized connection profiles, and edit and delete local connection profiles.

If the access levels defined in Configuration and Security are higher than those defined in Agents, Agentless Hosts, or Host Groups, Plug-ins, and, Connection Profiles, the definitions in Admin Management take precedence, and vice versa.

Agents, Agentless Hosts, and Host Groups

Defines access levels to specific Agents, Agentless Hosts, and Host Groups, as follows:

  • Control-M/Server: Defines the name of the Control-M/Server that is connected to the selected Agents, Agentless Hosts, or Host Groups.

  • Tag: Defines a logical name that is used to label specific Agents, Agentless Hosts, or Host Groups with a specific access level. You can only define one tag per Agent, Agentless Host, or Host Group. Users can define their own tags with the * (asterisk) wildcard if they have the correct permissions.

    If users are assigned the Agent tag with the value Fin*, they can define their own tag names when they install Agents, such as FinDev or FinOps.

  • Access Level

    • Browse: Enables associated users to view the Agents, Agentless Hosts, or Host Groups.

    • Update: Enables associated users to add, recycle, ping, disable, and enable the Agents, Agentless Hosts, or Host Groups.

    • Full: Enables associated users to edit and delete the Agents, Agentless Hosts, or Host Groups, in addition to the permissions granted in the Update access level.

Plug-ins

Defines access levels to specific plug-ins, with an authorization level for each plug-in, as follows:

  • Control-M/Server: Defines the name of the Control-M/Servers that are connected to the selected Agents.

  • Agent Tag: Determines which Agent tagsClosed A logical name that is used to label specific Agents in a group that has a specific authorization level. associated users have access to.

  • Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases.

  • Access Level

    • Browse: Enables associated users to view the plug-ins.

    • Update: Enables associated users to view and edit the plug-ins.

    • Full: Enables associated users to delete the plug-ins, in addition to the permissions granted in the Update access level.

Connection Profiles

Defines access levels to specific local and centralized connection profiles in the Configuration domain, with an access level for each connection profile, as follows:

  • Control-M/Server: Defines the name of the Control-M/Servers that are connected to the selected Agents.

    To define access levels for centralized connection profiles, select All from the Control-M/Server drop-down list and type * in the Agent Tag field.

  • Agent Tag: Determines which Agent tagsClosed A logical name that is used to label specific Agents in a group that has a specific authorization level. associated users have access to.

  • Name: Determines which connection profiles associated users have access to.

  • Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases.

  • Access Level

    • Browse: Enables associated users to view the connection profiles.

    • Update: Enables associated users to test the connection profiles.

    • Full: Enables associated users to do the following:

      • Create, delete, edit, and duplicate centralized connection profiles.

      • Edit and delete local connection profiles.

Run as Definitions

Defines access levels Run as User definition management, as follows:

  • Server: Defines the name of the Control-M/Server that the user is authorized to create Run as Users in Run as Users, as described in Adding a Run as User.

  • Access Level:

    • Browse: Enables associated users to view Run as Users.

    • Update: Enables associated users to create and edit Run as Users.

    • Full: Enables associated users to create, edit, and delete Run as Users.

Alerts

Determines one of the following alertsClosed A notification about the status of a job or component that appears in the Alerts window. access levels:

  • Browse: Enables associated users to view alerts.

  • Update: Enables associated users to update alerts.

  • Full: Enables associated users to update alerts.

Workflow Insights

Determines whether users can access the Workflow Insights domain.