User and Role Authorizations

You can create new users and roles, which enable you to limit what a user is authorized to view or change. Users are granted permissions based on their associated role.

If Role_A is authorized to view and change Folder_A and Calendar_A, then all associated users that are assigned Role_A have the same type of access to those entities.

There are three predefined roles in Control-M, as follows:

  • Administrator: Enables full access to all functionality.

  • Team Leader: Enables partial access with the ability to manage permissions for each member of the team.

  • Viewer: Enables view access only.

To configure authentication for all Control-M users, BMC recommends that you perform these procedures, in the following order:

  1. Adding a Role
  2. Creating an Internal User
  3. Creating an Administrator User
  4. Defining System Settings

You can create internal users in Control-M. However, BMC recommends that you configure a connection to an Identity Provider (IdP). This enables you to authenticate multiple external users with one configuration, instead of creating individual internal users in Control-M. To connect Control-M to an IdP, see Defining System Settings. After an IdP is enabled, all users are authenticated via SAML 2.0.

The following video describes User and Role Authorizations:

Adding a Role

This procedure describes how to create a role, which limits the associated users to specific authorizations and access levels.

Begin

  1. From the icon, select Configuration.

    The Configuration domain appears.

  2. From the drop-down list, select Roles.

    The Roles pane appears.

  3. Click Add Role.

    The Add Role pane appears.

  4. In the General tab, do the following:
    1. In the Role Name field, type a logical name for the role.

    2. In the Description field, type a description for the role.

    3. Do one of the following:

      • To associate users in a specific organizational group in IdP or LDAP, from the Associated with Organizational Groups drop-down list, select or search for the organizational groups in your IdP or LDAP that you want to associate with this role.

        If the list is empty, you must manually add the names of the IdP or LDAP groups: type the name of the group and click Add. The IdP or LDAP group names are case sensitive and must appear exactly as they are in the IdP or LDAP.

      • To explicitly associate a specific IdP or LDAP user, regardless of the organizational group, from the Associated with Organizational Users drop-down list, select or search for the organizational user in your IdP or LDAP that you want to associate with this role.

        If the list is empty, you must manually add the IdP or LDAP user: type the name of the user and click Add. The IdP and LDAP user names are case sensitive and must appear exactly as they are in the IdP or LDAP.

    4. From the Interface Access drop-down list, select one or more of the following applications to grant this role access to:

      • Automation API.

      • Control-M client (Desktop), Utilities, and EM API.

      • Control-M Configuration Manager.

      • Control-M Web.

  5. In the Access Control tab, select one or more of the checkboxes to give specific authorizations for this role, as described in Role Authorizations.

  6. Click Add.

Creating an Internal User

This procedure describes how to add an internal user in Control-M. User authorizations are determined by the roles that are associated with the user.

Begin

  1. From the icon, select Configuration.

  2. The Configuration domain appears.

  3. From the drop-down list, select Users.

    The Users pane appears.

  4. Click Add User.

    The Add User pane appears.

  5. In the User Name field, type the username that you want to add to Control-M.

  6. (Optional) In the Full Name and Description fields, type the full name of the user and a description.

  7. In the Assigned Roles drop-list, select one or more existing roles to assign to this user.

    Roles determine what the user has access to throughout Control-M. To create a role, see Adding a Role.

  8. Do one of the following:

    • To authenticate the user via LDAP, select the Enable External Authentication Only checkbox and define the LDAP User and Domain field by typing the domain name that hosts the LDAP servers that authenticates the Control-M/EM users in the following format:
      CN[OU]@DC

      where CN=user, OU=org_unit, and DC=domain.

    • To authenticate the user via a password, do the following:

      1. In the Password field, define a user password .

      2. In the Password Expiration field, select one of following options:

        • Never Expires

        • Custom: Determines the number of days before the password expires.

      3. To prevent this user from logging into Control-M, select the Lock Account checkbox.

      4. To force the user to change the password, do the following:

        • To enable this option, you must first set the PasswordExpirationOnOff system parameter to 1 and the WarningPasswordExpirationDays system parameter to 10 in the CCM, as described in Control-M/EM General System Parameters. Afterward, you must recycle the GUI Server.

        • At the next login, select User Must Change Password at Next Login.

  9. Click Add.

    The new user appears in the Users pane.

Creating an Administrator User

This procedure describes how to create a Control-M/EM Administrator user when the external authentication server is not available. If LDAP or Active Directory can not be connected and an emergency user is not defined, the new Administrator can log in with the authorizations and privileges of a default Administrator user.

Begin

  1. Log in to the Control-M/EM server account and run the following script:
    create_admin_account

  2. In the Control-M/EM DBO Name field, type the Control-M/EM database name (1–30 characters).

  3. In the Control-M/EM DBO Passwordfield, type the Control-M/EM password.

    If verification of the Control-M/EM DBO password fails, an error message appears and the script is aborted.

  4. At the new admin username prompt, type the name of the new user.

  5. At the new admin password prompt, type the new user password.

  6. At the new admin password verification prompt, retype the new user password.

    The new Administrator user is created.

Role Authorizations

The following table describes authorizations that you can apply to a role. All associated users to this role inherit the selected authorizations.

Authorization

Description

Planning

Determines whether to allow access to specific folders and jobs, Run as UsersClosed An OS account name that is used to execute jobs on the host., Service Definitions, or Promote Action.

Folders and Jobs

Grants access to specific folders and jobs with an access level for each folder, as follows:

  • Server: Defines the name of the Control-M/Server that processes the job.

  • Library: Defines the name of the library that contains the folder for the job.

  • Folder Name: Defines the name of the folder that associated users can access.

    You can define the folder name with a regular expression.

  • Access Level

    • Browse: Enables associated users to view folders.

    • Update: Enables associated users to add and edit folders.

    • Full: Enables associated users to add, edit, and delete folders.

  • Run: Determines whether associated users can runClosed A Control-M process that adds your job to the Run Queue of the day, according to automatic or manual scheduling, and which enables the job to execute after it fulfills its prerequisites. specific folders. This option is independent of the access levels. You can enable associated users to run folders on all access levels.

    This option also determines whether associated users can use the Run option in the Monitoring domain.

  • Job Permissions: Determines whether to enable authorizations on jobs in a specific folder based on Application and Sub-application criteria according to a defined access level.

This authorization also determines whether associated users are granted access to the Folder Management tool.

Run As

Enables associated users to use the listed run as users or pattern in job definitionsClosed The set of parameters that defines what the job does, when it runs, its prerequisites, and the post-processing actions Control-M performs after it ends (also called a job processing definition)..

Service Definitions

Grants associated users access to the Service Definitions Manager, as follows:

  • Service Name or Pattern: Defines the name of the service that associated users can access.
  • Access Level 
    • Browse: Enables associated users to view folders.

    • Update: Enables associated users to add and edit folders.

    • Full: Enables associated users to add, edit, and delete folders.

Promote Action

Grants associated users to set the following authorization levels for a promotion action:

  • None: Disenables associated users to promote.

  • Update: Enables associated users to create a promotion request, but disenables the promote and check-in promotion option.

  • Full: Enables associated users to create a promotion request, use promote, and check-in.

Monitoring

Determines whether to allow access to specific jobs and servicesClosed A set of workflows that serves a business purpose, and can be monitored as a single unit., Periodical Statistics, Forecast and SLA Management (BIM), archived viewpoints, and Viewpoint Management.

Job Permissions

Determines which of the following actions and views are available to associated users, as follows:

  • Actions: Associated users can perform any of the following actions when they are selected:

  • View: Associated users can perform any of the following actions when they are selected:

    • Documentation

    • JCL/Script

    • Job Settings

    • Log

    • Output

    • Statistics

    • Why

You can apply one or more Including Filters and Excluding Filters to grant or remove role access to jobs based on the job attributes, operators, and values that you define, as follows:

If <Job Attribute> <Operator> <Value>

Including Filters with an Or Condition

  • If Run As Contains Billing

    OR

  • If Host/Host Groups Exactly Accounts-Agent

This including filter grants the role access to jobs when they run on the Accounts-Agentor when their Run As name contains the string Billing.

Service Permissions

Grants associated users or groups of users access to view services, perform job actions, run, hold, and release services, as follows:

  • Service Name or Pattern: Defines the name of the service that associated users can access
  • Drill-Down to View Jobs: Enables associated users to view jobs inside a service.
  • Run Orderable Services: Enables associated user to run a service.
  • Hold: Enables associated users to hold a service, which stops the service from running.
  • Resume: Enables associated users to release a service, which frees it from being held and makes it available to be run again.
  • View Orderable Services That Were Started by Other Users: Enables associated users to view services that are run by other users.

Periodical Statistics

Grants associated users access to Periodical Statistics, as follows:

  • None: Disables associated user access to view Periodical Statistics.

  • Browse : Disables associated user access to view Periodical Statistics.

  • Full: Enables associated users to add, edit, and delete Periodical Statistics.

Forecast/SLA Management (BIM)

Grants associated users access to Forecast/SLA Management reports, as follows:

  • None: Disables associated user access to view Forecast and SLA Management reports.

  • Browse : Enables associated users to view Forecast and SLA Management reports.

  • Update: Enables associated users to add and edit Forecast and SLA Management reports.

  • Full: Enables associated users to delete Forecast and SLA Management reports.

Archived Viewpoints

Grants associated users access to Archived Viewpoints, as follows:

  • None: Disables associated user access to Archived Viewpoints.

  • Full: Enables associated users to add, edit, and delete Archived Viewpoints.

Viewpoint Management

Grants associated users access to Collections, Filters, Hierarchies, and Viewpoint with an access level for each, as follows:

  • None: Disables associated user view access to view.

  • Browse : Enables associated users to view.

  • Update: Enables associated users to add and edit.

  • Full: Enables associated users to delete.

Tools

Determines whether to allow access to Application IntegratorClosed A Control-M component that enables you to create a third-party business application integration (plug-in), and create custom job types that perform specialized tasks in your environment., CalendarsClosed A reusable job schedule that you can apply to many jobs, which enables you to perform scheduling changes from a single location., CLI Utility (Folder, Job, and Calendar Management), EventsClosed An conditional entity that creates a sequential relationship between jobs by enabling the successor job to execute after the predecessor job has executed., Global Events, Resource PoolsClosed A type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access., Lock ResourcesClosed A type of prerequisite that controls the flow of the workflow, which represents a physical or logical device that folders, sub-folders, or jobs can exclusively access or share., Workload Policies, Site StandardsClosed A set of rules that are relevant to your organization, are applied on the folder level, and determine how users must define folders and jobs., and User ViewsClosed A customization of the Control-M interface, which enables users to view specific functionality only..

Application Integrator

Grants associated users access to Application Integrator, as follows:

  • None: Disables associated user access to open Application Integrator.

  • Browse: Enables associated users to view existing job types. Users cannot deploy, modify, or create new job types.

  • Update: Enables associated users to deploy, modify, and create new job types. Users cannot undeploy.
  • Full: Enables associated users to perform all actions.

Calendars

Grants access to specific calendars with an access level for each calendar, as follows:

  • Server: Defines the name of the Control-M/Server that processes the job.

  • Calendar Name: Defines the name of the calendar that associated users can access.

  • Browse: Enables associated users to view calendars.

  • Update: Enables associated users to add and edit calendars.
  • Full: Enables associated users to add, edit, and delete calendars.

CLI Utility (Folder, Job, and Calendar Management)

Grants access to the CLI utility for folder, job, and calendar management, as follows:

  • None: Disables associated user access to the CLI utility.

  • Full: Enables associated users to add, edit, and delete in the CLI utility.

Events

Grants access to specific events with an access level for each event, as follows:

  • Server: Defines the name of the Control-M/Server that processes the job.

  • Event Name: Defines the name of the event that associated users can access.
  • Browse: Enables associated users to view the event.

  • Update: Enables associated users to add and edit the event.
  • Full: Enables the associated users to add, edit, and delete the event.

Global Events

Grants access to specific global events with an access level for each global event, as follows:

  • Prefix: Defines the name of the global event prefix that the user has access to.
  • Browse: Enables associated users to view global events.

  • Update: Enables associated users to add and edit global events.
  • Full: Enables associated users to add, edit, and delete global events.

History Reports

Grants access to History Reports, as follows:

  • None: Disables associated user access to History Reports.
  • Full: Enables associated users to add, edit, and delete History Reports.

Lock Resources

Grants access to specific Lock Resources with an access level for each Lock Resource, as follows:

  • Server: Defines the name of the Control-M/Server that processes the job.

  • Name: Defines the name of the Lock Resource that associated users can access.
  • Browse: Enables associated users to view the Lock Resource.

  • Update: Enables associated users to add and edit the Lock Resource.
  • Full: Enables the associated users to add, edit, and delete the Lock Resource.

(API only) Pool Variables

Grants access to Named Pool variables using API commands, as follows:

  • Server: Defines the name of the Control-M/Server that processes the job.

  • Variable Name: Defines the name of the Named Pool variable.
  • Browse: Enables associated users to view the Named Pool variable.
  • Update: Enables associated users to add and edit the Named Pool variable.
  • Full: Enables associated users to add, edit, and delete the Named Pool variable.

Reports

Grants access to Reports, as follows:

  • None: Disables associated user access to Reports.
  • Full: Enables associated users to add, edit, and delete Reports

Resource Pools

Grants access to specific Resource Pools with an authorization level for each Resource Pool, as follows:

  • Server: Defines the name of the Control-M/Server that processes the job.

  • Name: Defines the name of the Resource Pool that associated users can access.

  • Browse: Enables associated users to view the Resource Pool.

  • Update: Enables the associated users to add and edit the Resource Pool.

  • Full: Enables the associated users to add, edit, and delete the Resource Pool.

Secrets

Grants access to specific Automation API Config secrets in the JSON with an access level for each secret, as follows:

  • Secret Name: Defines the name of the secret that associated users can access.

  • Browse: Enables associated users to view the API secret.

  • Update: Enables associated users to add and edit the API secret.

  • Full: Enables the associated users to add, edit, and delete the API secret.

After you update the role, you must regenerate an API token to use the updated authorizations, as described in Creating an API Token.

Site Standards

Grants access to specific Site Standards with an access level for each Site Standard, as follows:

  • Site Standard Name: Defines the name of the Site Standard that associated users can access.
  • Browse: Enables associated users to view the Site Standard.

  • Update: Enables associated users to add and edit the Site Standard.
  • Full: Enables associated users to add, edit, and delete the Site Standard.
  • Site Standard Policy Access Level: Grants access to specific Site Standard Policies with an authorization level for each Site Standard Policy, as follows:

    • Browse: Enables associated users to view the Site Standard Policy.
    • Update: Enables associated users to add and edit the Site Standard Policy.
    • Full: Enables associated users to add, edit, and delete the Site Standard Policy.

SLA Management Reports

Grants access to SLA Management Reports, as follows:

  • None: Disables associated user access to SLA Management Reports.
  • Full: Enables associated users to add, edit, and delete SLA Management Reports.

User Views

Grants access to specific user views with an access level for each user view, as follows:

  • User View Name: Defines the name of the user view that associated users can access.
  • Browse: Enables associated users to view the user view.

  • Update: Enables the associated users to add and edit the user view.
  • Full: Enables the associated users to add, edit, and delete the user view.

Workload Policies

Grants access to specific Workload Policies with an access level for each Workload Policy, as follows:

  • Workload Policy Name: Defines the name of the Workload Policy that associated users can access.
  • Browse: Enables associated users to view the Workload Policy.

  • Update: Enables associated users to add and edit the Workload Policy.
  • Full: Enables associated users to add, edit, and delete the Workload Policy.

Configuration

Enables Administrators to delegate control to users to carry out specific administrative tasks on Agents, plug-insClosed A Control-M component that extends functionality to third-party applications like Hadoop or SAP and can be integrated with other jobs in a single workflow., and connection profilesClosed A profile that contains the connection parameters to a specific plug-in, including the hostname, port, username, and password.. Users can create, configure, and monitor their resources, which eliminates the dependencies on the Control-M Administrators. The Control-M Administrators can restrict access and control to the users to their defined resources, without exposing other resources in the environment.

Agents, Remote Hosts, , and Host Groups

Grants access to specific Agents, Remote Hosts, , and Host Groups, as follows:

  • Server: Defines the name of the Control-M/Server that is connected to the selected Agents, Remote Hosts, , or Host Groups.

  • Tag: Defines a logical name that is used to label specific Agents, Remote Hosts, , or Host Groups with a specific access level. You can only define one tag per Agent, Agentless Host, or Host Group. Users can define their own tags with the * (asterisk) wildcard if they have the correct permissions.

    If users are assigned the Agent tag with the value Fin*, they can define their own tag names when they install Agents, such as FinDev or FinOps.

  • Browse: Enables associated users to view the Agents, Remote Hosts, , or Host Groups.

  • Update: Enables associated users to add, recycle, ping, disable, and enable the Agents, Remote Hosts, , or Host Groups.
  • Full: Enables associated users to edit and delete the Agents, Remote Hosts, , or Host Groups, in addition to the permissions granted in the Update access level.

Plug-ins

Grants access to specific plug-ins with an authorization level for each plug-in, as follows:

  • Server: Defines the name of the Control-M/Servers that are connected to the selected Agents.

  • Agent Tag: Determines which Agent tags associated users have access to.

  • Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases.

  • Browse: Enables associated users to view the plug-ins.
  • Update: Enables associated users to view and edit the plug-ins.
  • Full: Enables associated users to delete the plug-ins, in addition to the permissions granted in the Update access level.

Connection Profiles

Grants access to specific connection profiles with an access level for each connection profile, as follows:

  • Server: Defines the name of the Control-M/Servers that are connected to the selected Agents.

  • Name: Determines which connection profiles associated users have access to.

  • Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases.

  • Browse: Enables associated users to view the connection profiles.
  • Update: Enables associated users to view and edit the connection profiles.
  • Full: Enables the associated users to create and delete connection profiles, in addition to the permissions granted in the Update access level.

Run as Definition

Enables associated users to manage Run-as-User definitions, as follows:

  • Server: Lists the name of the Control-M/Server that the user is authorized to create Run as Users in Run as Users, as described in Adding a Run as User.

  • Browse: Enables associated users to view Run as Users.

  • Update: Enables associated users to create and edit Run as Users.

  • Full: Enables associated users to create, edit, and delete Run as Users.

Admin Management

Grants associated users access to the following categories, as follows:

  • Authorizations/Users & Roles: Enables associated users to apply authorizations on other users in Control-M/EM, as follows:

    • None: Disables associated user access to view other users.

    • Browse : Enables associated users to view other users.

    • Update: Enables associated users to add and edit other users.

    • Full: Enables associated users to delete other users.

  • Configuration: Enables associated users to access Control-M/EM, Control-M/Server, and Agent components, as follows:

    • None: Disenables associated users to view components.

    • Browse : Enables associated users to view components.

    • Update: Enables associated users to add and edit components.

    • Full: Enables associated users to delete components.

  • Database Maintenance: Enables associated users access to check database space and extend the database size, as follows:

    • None: Disenables associated users to access Database Maintenance.

    • Browse : Enables associated users to check database space.

    • Full: Enables associated users to extend database size.

  • Operation: Enables associated users to start, stop, recycle, and ignore components, as follows:

    • None: Disables associated user access to Operation actions.

    • Update: Enables associated users to start, stop, recycle, and ignore components.

    • Full: Enables associated users to start, stop, recycle, and ignore components.

  • Promotion Rules: Enables associated users access to define Promotion Rules.

    • None: Disables associated user access to Promotion Rules.

    • Full: Enables associated users to define Promotion Rules.

  • Security: Enables associated users access to Control-M/Server users and roles, and enables users to create, edit, copy, export, test, and delete connection profiles fora plug-in, as follows:

    • None: Disables associated user access to Security.

    • Browse : Enables associated users to view Control-M/Server users, roles, and connection profiles.

    • Update: Enables associated users to add and edit Control-M/Server users, roles, and connection profiles.

    • Full: Enables associated users to delete Control-M/Server users, roles, and connection profiles.

If the access levels defined in Configuration and Security are higher than those defined in Agents, Remote Hosts, , or Host Groups, Plug-ins, and, Connection Profiles, the definitions in Admin Management take precedence, and vice versa.

Alerts

Determines whether to enables users to access alertsClosed A notification about the status of a job or component that appears in the Alerts window. with one of the following access levels:

  • Browse: Enables associated users to view alerts.
  • Update: Enables associated users to update alerts.
  • Full: Enables associated users to update alerts.

Workflow Insights

Determines whether to enables users to access to the Workflow Insights domain.