Authorizations for API Functionalities and Services

As an administrator, you can control the levels of authorizations that each of your defined roles has to the various API functionalities and services. You configure these authorizations through the Configuration domain in Control-M SaaS. For more information, see User and Role Authorizations.

The following authorizations are automatically set to Full (for all items of each type) when you turn on Advanced admin authorizations. You do not need to manually set these types of authorizations in Administrator-level roles.

  • Configuration > Agents

  • Configuration > Plug-ins

  • Configuration > Connection Profiles

  • Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition

API Authentication and Usage Reports

The following table lists the minimum authorizations that are required for access to Control-M Automation API and for generating usage reports:

API Functions and Commands

Required Authorization Level

Manage your own API tokens using the Authentication Service.

Role settings > General tab > Automation API access

Manage the API tokens of other users, as an administrator, through Control-M SaaS.

Admin role settings > Access Control tab:

  • Configuration > More (Users, Roles, Run as and Admin) > Advanced admin authorizations > on

  • Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Browse

Generate reports, as an administrator, using the Usage Report Service.

Admin role settings > Access Control tab > Configuration > More (Users, Roles, Run as and Admin) > Advanced admin authorizations > on

Configuration and Provisioning Authorizations

The following table lists the minimum authorizations that a role needs for performing administrative tasks using the Config Service and Provision Service. You can access these authorization settings through Role settings in Control-M SaaS, on the Access control tab.

API Functions and Commands

Required Authorization Level

Access configuration topology information:

  • config servers::get

  • config server:agents::get

Configuration > Agents > None

Access detailed configuration item information:

  • config server:agent:params::get

  • config server:agent:param::set

Configuration > Agents > Full

Add or update configurations of major Control-M components:

  • config server:agent::disable

  • config server:agent::enable

  • config server:agent::ping

Configuration > Agents > Update

Delete configurations of major Control-M components:

  • config server:agent::delete

Configuration > Agents > Full

Access details of the setup of your integration with Control-M Managed File Transfer (MFT):

  • config server:agent:mft:pgpTemplates::get

  • config server:agent:mft:zostemplates::get

  • config server:agent:mft:fts:settings::get

  • config server:agent:mft:configuration::get

Configuration > Plug-ins > MFT> Browse

Add or update configurations for your integration with Control-M MFT:

  • config server:agent:mft:ssh:key::generate

  • config server:agent:mft:ssh:ssh:host::authorize

  • config server:agent:mft:ssh:cluster::authorize

  • config server:agent:mft:pgpTemplate::add

  • config server:agent:mft:pgpTemplate::update

  • config server:agent:mft:zostemplate::add

  • config server:agent:mft:zostemplate::update

  • config server:agent:mft:fts:settings::update

  • config server:agent:mft:configuration::update

Configuration > Plug-ins > MFT> Update

Delete configurations from the integration with Control-M MFT:

  • config server:agent:mft:pgpTemplate::delete

  • config server:agent:mft:zostemplate::delete

Configuration > Plug-ins > MFT> Full

Provision agents and plug-ins:

  • provision agent::setup

  • provision agent::install

Configuration > Agents > Update

Access details of "run as" users:

  • config server:runasuser::get

  • config server:runasuser::test

  • config server:runasusers::get

Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition > Browse

Add or update "run as" users:

  • config server:runasuser::add

  • config server:runasuser::update

Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition > Update

Delete a "run as" user:

  • config server:runasuser::delete

Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition > Full

Manage host groups (groups of agents):

  • config server:hostgroups::get

  • config server:hostgroup:agents::get

  • config server:hostgroup:agent::add

  • config server:hostgroup:agent::delete

  • config server:hostgroup::update

  • config server:hostgroup::delete

Configuration > More (Users, Roles, Run as and Admin) > Advanced admin authorizations > on

Access details of roles, users, and LDAP groups:

  • config authorization:role::get

  • config authorization:roles::get

  • config authorization:user::get

  • config authorization:users::get

  • config authorization:ldap:roles::get

  • config authorization:role:associates

  • config authorization:user:effectiverights::get

Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Browse

Manage authorizations of roles, users, and LDAP groups:

  • config authorization:role::add

  • config authorization:role::update

  • config authorization:user::add

  • config authorization:user::update

  • config authorization:user:role::add

  • config authorization:user:role::delete

  • config authorization:ldap:role::add

  • config authorization:ldap:role::delete

Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Update

Delete authorizations of roles and users:

  • config authorization:role::delete

  • config authorization:user::delete

Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Full

Build and Deploy Authorizations

The following table lists the minimum authorizations that a role needs for building and deploying definitions of jobs and job-related objects using the Build Service and Deploy Service. You can access these authorization settings through Role settings in Control-M SaaS, on the Access control tab.

API Functions and Commands

Required Authorization Level

Build job definitions:

  • build

No special authorization required beyond the API Authentication Authorizations

Retrieve deployed definitions, with different API commands for the various types of objects:

  • deploy jobs::get

  • deploy calendars::get

  • deploy sitestandard:fieldRestriction::get

  • deploy ai:jobtypes::get

  • deploy connectionprofiles:centralized::get

  • deploy connectionprofiles:centralized:status::get

  • deploy connectionprofile:centralized::deploymentstatus

Depends on the type of object:

  • Planning > Folders > Browse

  • Tools > Site Standards > Browse

  • Tools > Calendars > Browse

  • Tools > Application Integrator > Full

  • Configuration > Connection Profiles > Browse

Deploy job definitions:

  • deploy

  • deploy ai:jobtype

  • deploy sitestandard:fieldRestriction::replaceValues

Depends on the objects included in the definitions file:

  • Planning > Folders > Update

  • Planning > Run as > Specify 'Run as' pattern and Agent/Host Group

  • Tools > Site Standards > Update

  • Tools > Calendars > Update

  • Tools > Application Integrator > Full

  • Configuration > Connection Profiles > Full to create new connection profiles

    or

    Configuration > Connection Profiles > Update to modify existing connection profiles

Delete objects:

  • deploy folder::delete

  • deploy calendar::delete

  • deploy connectionprofile:centralized::delete

Depends on the type of object:

  • Planning > Folders > Full

  • Tools > Calendars > Full

  • Configuration > Connection Profiles > Full

Job Run and Management Authorizations

The following table lists the minimum authorizations that a role needs for running jobs and managing job-related objects using the Run Service. You access these authorization settings through Role settings in Control-M SaaS, on the Access control tab.

API Functions and Commands

Required Authorization Level

Run jobs and folders:

  • run

  • run order

Planning > Folders > Update, with additional Order option selected

+

Planning > Run as, for defined "Run as" names or patters

Access job status:

  • run status

  • run job::get

  • run jobs:status::get

  • run job:status::get

  • run job:output::get

  • run job:log::get

  • run job:statistics::get

Monitoring > Job permissions, with the relevant View options selected

Perform job actions:

  • run job::confirm

  • run job::delete

  • run job::free

  • run job::hold

  • run job::kill

  • run job::rerun

  • run job::runNow

  • run job::setToOk

  • run job::undelete

Monitoring > Job permissions, with the relevant Actions options selected

Manage variables:

  • run variables::get

  • run variables::set

  • run variables::delete

Depends on the action:

  • Get: Planning > Pool Variables > Browse

  • Set: Planning > Pool Variables > Update

  • Delete: Planning > Pool Variables > Full

Manage events:

  • run events::get

  • run event::add

  • run event::delete

Depends on the action:

  • Get: Tools > Events > Browse

  • Add: Tools > Events > Update

  • Delete: Tools > Events > Full

Manage services:

  • run services:sla::get

Monitoring > Service permissions, with specification of services and optional job drill-down

Manage resources:

  • run resources::get

  • run resource::add

  • run resource::update

  • run resource::delete

Authorization level under Tools > Resource Lock or Tools > Resource Pool depends on the action:

  • Get: Browse

  • Add or Update: Update

  • Delete: Full