Control-M Automation API Authorizations
Through Control-M, you can control the access levels that each of your defined roles has to the various API functionalities and services. The following series of tables summarize the access levels that are required for the various API commands. You set these access levels through the role definitions in the Configuration domain.
Session Service Authorizations
The following table lists the Interface Access categories required by the API Session service. You set these access levels through the role definitions in the Configuration domain, on the General tab.
API Functions |
Interface Access Category |
---|---|
Log in and get an access token
|
Automation API Alternatively, for product versions earlier than 9.0.20 or when using Compatibility mode: Control-M Configuration Manager |
Control-M Desktop, Utilities and EM API |
Authentication Service Authorizations
To use the Authentication service to create, update, delete, or get details of your own tokens, you must have the Automation API interface access category. You set this access category through the role definitions in the Configuration domain, on the General tab.
To use the Authentication service to control authentication tokens of other users, an administrator must have the following role access levels. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.
API Functions |
Access Control Category |
Access Level |
---|---|---|
Retrieve token details
|
Configuration > Admin Management > Authorizations/Users&Roles |
Browse |
Create or update a token
|
Configuration > Admin Management > Authorizations/Users&Roles |
Update |
Delete a token
|
Configuration > Admin Management > Authorizations/Users&Roles |
Full |
Configuration Service Authorizations
The following table lists the role access levels required by the various API functions in the Config service. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.
If the access levels defined through Configuration > Admin Management differ from (that is, are higher or lower than) those defined in the other Configuration categories, such as Configuration > Agents or Configuration > Plug-ins, or Configuration > Run as Definition, then the definitions in Admin Management take precedence.
API Functions |
Access Control Category |
Access Level |
---|---|---|
Access Agent topology information
|
Configuration > Agents |
None |
Access Control-M/Server topology information
|
Configuration > Admin Management > Configuration |
Browse |
Access Agent information
|
Configuration > Agents |
Browse |
Access detailed Agent configuration information
|
Configuration > Agents |
Full |
Add or update Control-M/Server configurations
|
Configuration > Admin Management > Configuration |
Update |
Add or update Agent configurations
|
Configuration > Agents |
Update |
Add or update Run as User configurations
|
Configuration > Run as Definition |
Update |
Access Run as User configuration details
|
Configuration > Run as Definition |
Browse |
Delete Control-M/Server configuration
|
Configuration > Admin Management > Configuration |
Full |
Delete Agent configuration
|
Configuration > Agents |
Full |
Delete Run as User configuration
|
Configuration > Run as Definition |
Full |
Perform High Availability actions
|
Configuration > Admin Management > Configuration |
Update |
Get High Availability status
|
Configuration > Admin Management > Configuration |
Browse |
Access detailed Job Archiving configuration
|
Configuration > Admin Management > Configuration |
Browse |
Manage configurations of Job Archiving
|
Configuration > Admin Management > Configuration |
Update |
Access configurations of file transfers to and from external users (using Control-M MFT Enterprise B2B)
|
Configuration > Plug-ins |
Browse |
Add or update configurations for Control-M MFT Enterprise B2B
|
Configuration > Plug-ins |
Update |
Delete configurations for Control-M MFT Enterprise B2B
|
Configuration > Plug-ins |
Full |
Access configurations of file transfers to and from remote hosts (using Control-M MFT)
|
Configuration > Plug-ins |
Browse |
Add or delete configurations for Control-M MFT
|
Configuration > Plug-ins |
Full |
Update configurations for Control-M MFT
|
Configuration > Plug-ins |
Update |
Manage SSH settings for Control-M MFT
|
Configuration > Admin Management > Security |
Full |
Access details of roles, users, and LDAP groups
|
Configuration > Admin Management > Authorizations/Users & Roles |
Browse |
Manage authorizations of roles, users, and LDAP groups
|
Configuration > Admin Management > Authorizations/Users & Roles
For simulation functions, also: Configuration > Admin Management > Configuration |
Update |
Delete authorizations of roles and users
|
Configuration > Admin Management > Authorizations/Users & Roles |
Full |
Access details of system settings
|
Configuration > Admin Management > Configuration |
Browse |
Add or update system settings
|
Configuration > Admin Management > Configuration |
Update |
Access details of secrets in the Control-M vault
|
Tools > Secrets |
Browse |
Add or update secrets in the Control-M vault
|
Tools > Secrets |
Update |
Delete secrets in the Control-M vault
|
Tools > Secrets |
Full |
Provision Service Authorizations
The following table lists the role access levels required by the various API functions in the Provision service. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.
If the access levels defined through Configuration > Admin Management differ from (that is, are higher or lower than) those defined in the other Configuration categories, such as Configuration > Agents or Configuration > Run as Definition, then the definitions in Admin Management take precedence.
API Functions |
Access Control Category |
Access Level |
---|---|---|
Access details of provisioned agents
|
Configuration > Agents |
Browse |
Provision a new agent
|
Configuration > Agents |
Update |
Undo the provisioning of an agent
|
Configuration > Agents |
Full |
Upgrade an existing agent and deploying plug-ins
|
Configuration > Agents |
Full |
Access details of agent upgrades
|
Configuration > Agents |
Browse |
Provision a Control-M/Server
|
Configuration > Agents and Configuration > Run as Definition |
Update |
Build and Deploy Service Authorizations
The following table lists the role access levels required by the various API functions in the Build and Deploy services. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.
If the access levels defined through Configuration > Admin Management differ from (that is, are higher or lower than) those defined in the other Configuration categories, such as Configuration > Connection Profiles, then the definitions in Admin Management take precedence.
API / API Service |
Access Control Category |
Access Level |
---|---|---|
Build jobs definitions
|
Access tokens are enough. |
|
Retrieve deployed job definitions
|
Planning > Folders and Jobs |
Browse level on all retrieved folders
|
Deploy definitions of Control-M objects
|
Planning > Folders and Jobs |
Update level on all folders deployed
|
Planning > Run as |
Grant permission to write jobs that Run as use on specific hosts as required by all jobs deployed.
|
|
Tools > Calendars |
Update level on all calendars deployed
|
|
Tools > Site Standards |
Update level for all site standards deployed. Update level for site standard policies. |
|
Configuration > Connection Profiles |
Full level on all connection profiles deployed if you plan to create new connection profiles. Update level if you only want to modify existing connection profiles.
|
|
Delete deployed objects
|
Planning > Folders and Jobs |
Full access level on all folders to delete
|
Deploy AI job type
|
Tools > Application Integrator |
Full |
Retrieve details of deployed AI job types
|
||
Deploy Control-M integration plug-ins
|
Tools > Application Integrator |
Browse |
Retrieve deployed calendar definitions
|
Tools > Calendars |
Browse access level on all calendars to retrieve
|
Delete a deployed calendar
|
Tools > Calendars |
Full access level on all calendars to delete
|
Retrieve details of deployed connection profiles
|
Configuration > Connection Profiles |
Browse access level on all connection profiles to retrieve
|
Delete deployed connection profiles
|
Configuration > Connection Profiles |
Full access level on all connection profiles to delete
|
Test deployed connection profiles
|
||
Retrieve details of site standards and site standard policies
|
Tools > Site Standards |
Browse level for all site standards deployed. Browse level for site standard policies. |
Add site standard policies
|
Tools > Site Standards |
Update level for site standard policies. |
Rename or delete site standards or site standard policies
|
Tools > Site Standards |
Full level for all site standards deployed. Full level for site standard policies. |
Run Service Authorizations
The following table lists the role access levels required by the various API functions in the Run service. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.
API |
Access Control Category |
Access Level |
---|---|---|
Access job status and details
|
Monitoring > Job Permissions |
All View options for all jobs. |
Perform job actions
|
Monitoring > Job Permissions |
All Actions and View options for all relevant jobs. |
Run Jobs definition file
|
Planning > Folders and Jobs |
Update level on all folders deployed
|
Planning > Run as |
Grant permission to write jobs that Run as a user on specific hosts, as required by all jobs deployed.
|
|
Order a deployed folder and jobs
|
Planning > Folders and Jobs |
Update level on all folders deployed
|
Retrieve events
|
Tools > Events |
Browse level for events retrieved
|
Add an event
|
Tools > Events |
Update level for events to add
|
Delete an event
|
Tools > Events |
Full access level for events to delete
|
Retrieve resources
|
Tools > Resource Pool |
At lease Browse level for Resource Pools retrieved
|
|
Tools > Lock Resources |
At lease Browse level for Lock Resources retrieved
|
Add/update a resource
|
Tools > Resource Pool |
Update level for Resource Pools updated
|
Delete a resource
|
Tools > Resource Pool |
Full level for Resource Pools deleted
|
Retrieve Workload Policy details
|
Tools > Workload Policies |
Browse |
Add and control Workload Policies
|
Tools > Workload Policies |
Update |
Delete a Workload Policy
|
Tools > Workload Policies |
Full |
Retrieve pool variable details
|
Tools > Pool Variables |
Browse |
Define or update pool variables
|
Tools > Pool Variables |
Update |
Delete pool variables run variables::delete |
Tools > Pool Variables |
Full |
Access the status of alert streaming
|
Alerts |
Browse |
Update alerts
|
Alerts |
Update |