Applying Authorizations for API Functionalities and Services
Through Helix Control-M, you can control the levels of authorizations that each of your defined roles has to the various API functionalities and services. The following series of tables summarize the authorization levels that are required for the various API commands.
You access these authorization settings through Role settings in Helix Control-M. For detailed instructions on how to apply these authorizations, see User and Role Authorizations in the Helix Control-M online documentation.
When you turn on Advanced admin authorizations, the following authorizations are automatically set to Full (for all items of each type). You do not need to manually set these types of authorizations in Administrator-level roles.
-
Configuration > Agents
-
Configuration > Plug-ins
-
Configuration > Connection Profiles
-
Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition
Authorizations for API Access and Authentication
For access to the API, your role must have the Automation API access setting turned on, on the General tab in the Role settings. This enables all users associated with the role to manage their API tokens using the Authentication Service.
In addition, an administrator can manage other users' API tokens through the Helix Control-M GUI. To enable this admin-level control, the admin's role must have the following authorizations on the Access control tab in the Role settings:
-
Configuration > More (Users, Roles, Run as and Admin) > Advanced admin authorizations > on
-
Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Browse (or higher)
Authorizations for Usage Reports
To enable admin-level users to generate usage reports using the Usage Report Service, the admin's role must have the following setting turned on, on the Access control tab in the Role settings:
Configuration > More (Users, Roles, Run as and Admin) > Advanced admin authorizations
Authorizations for Configuration and Provisioning
The following table lists the minimum authorizations that a role needs for performing administrative tasks using the Config Service and Provision Service. You access these authorization settings through Role settings in Helix Control-M, on the Access control tab.
API functions and commands |
Required authorization level |
---|---|
Access configuration topology information:
|
Configuration > Agents > none required |
Access detailed configuration item information:
|
Configuration > Agents > Full |
Add or update configurations of major Control-M components:
|
Configuration > Agents > Update |
Delete configurations of major Control-M components:
|
Configuration > Agents > Full |
Access details of the setup of your integration with Control-M Managed File Transfer (MFT):
|
Configuration > Plug-ins > MFT> Browse |
Add or update configurations for your integration with Control-M MFT:
|
Configuration > Plug-ins > MFT> Update |
Delete configurations from the integration with Control-M MFT:
|
Configuration > Plug-ins > MFT> Full |
Provision agents and plug-ins:
|
Configuration > Agents > Update |
Access details of "run as" users:
|
Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition > Browse |
Add or update "run as" users:
|
Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition > Update |
Delete a "run as" user:
|
Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition > Full |
Manage host groups (groups of agents):
|
Configuration > More (Users, Roles, Run as and Admin) > Advanced admin authorizations > on |
Access details of roles, users, and LDAP groups:
|
Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Browse |
Manage authorizations of roles, users, and LDAP groups:
|
Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Update |
Delete authorizations of roles and users:
|
Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Full |
Authorizations for Building and Deploying Definitions of Jobs and Job-related Objects
The following table lists the minimum authorizations that a role needs for building and deploying definitions of jobs and job-related objects using the Build Service and Deploy Service. You access these authorization settings through Role settings in Helix Control-M, on the Access control tab.
API functions and commands |
Required authorization level |
---|---|
Build job definitions:
|
No special authorization required beyond the Authorizations for API Access and Authentication |
Retrieve deployed definitions, with different API commands for the various types of objects:
|
Depending on the type of object:
|
Deploy job definitions:
|
Depending on the objects included in the definitions file:
|
Delete objects:
|
Depending on the type of object:
|
Authorizations for Running Jobs and Managing Job-related Objects
The following table lists the minimum authorizations that a role needs for running jobs and managing job-related objects using the Run Service. You access these authorization settings through Role settings in Helix Control-M, on the Access control tab.
API functions and commands |
|
---|---|
Run jobs and folders:
|
Planning > Folders > Update, with additional Order option selected + Planning > Run as, for defined "Run as" names or patters |
Access job status:
|
Monitoring > Job permissions, with the relevant View options selected |
Perform job actions:
|
Monitoring > Job permissions, with the relevant Actions options selected |
Manage variables: |
|
|
Planning > Pool Variables > Browse |
|
Planning > Pool Variables > Update |
|
Planning > Pool Variables > Full |
Manage events: |
|
|
Tools > Events > Browse |
|
Tools > Events > Update |
|
Tools > Events > Full |
Manage services:
|
Monitoring > Service permissions, with specification of services and optional job drill-down |
Manage resources: |
|
|
Tools > Resource Lock >Browse Tools > Resource Pool > Browse |
|
Tools > Resource Lock >Update Tools > Resource Pool > Update |
|
Tools > Resource Lock >Full Tools > Resource Pool > Full |