Applying Authorizations for API Functionalities and Services

Through Helix Control-M, you can control the levels of authorizations that each of your defined roles has to the various API functionalities and services. The following series of tables summarize the authorization levels that are required for the various API commands.

You access these authorization settings through Role settings in Helix Control-M. For detailed instructions on how to apply these authorizations, see User and Role Authorizations in the Helix Control-M online documentation.

When you turn on Advanced admin authorizations, the following authorizations are automatically set to Full (for all items of each type). You do not need to manually set these types of authorizations in Administrator-level roles.

  • Configuration > Agents

  • Configuration > Plug-ins

  • Configuration > Connection Profiles

  • Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition

Authorizations for API Access and Authentication

For access to the API, your role must have the Automation API access setting turned on, on the General tab in the Role settings. This enables all users associated with the role to manage their API tokens using the Authentication Service.

In addition, an administrator can manage other users' API tokens through the Helix Control-M GUI. To enable this admin-level control, the admin's role must have the following authorizations on the Access control tab in the Role settings:

  • Configuration > More (Users, Roles, Run as and Admin) > Advanced admin authorizations > on

  • Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Browse (or higher)

Authorizations for Usage Reports

To enable admin-level users to generate usage reports using the Usage Report Service, the admin's role must have the following setting turned on, on the Access control tab in the Role settings:

Configuration > More (Users, Roles, Run as and Admin) > Advanced admin authorizations

Authorizations for Configuration and Provisioning

The following table lists the minimum authorizations that a role needs for performing administrative tasks using the Config Service and Provision Service. You access these authorization settings through Role settings in Helix Control-M, on the Access control tab.

API functions and commands

Required authorization level

Access configuration topology information:

  • config servers::get

  • config server:agents::get

Configuration > Agents > none required

Access detailed configuration item information:

  • config server:agent:params::get

  • config server:agent:param::set

Configuration > Agents > Full

Add or update configurations of major Control-M components:

  • config server:agent::disable

  • config server:agent::enable

  • config server:agent::ping

Configuration > Agents > Update

Delete configurations of major Control-M components:

  • config server:agent::delete

Configuration > Agents > Full

Access details of the setup of your integration with Control-M Managed File Transfer (MFT):

  • config server:agent:mft:pgpTemplates::get

  • config server:agent:mft:zostemplates::get

  • config server:agent:mft:fts:settings::get

  • config server:agent:mft:configuration::get

Configuration > Plug-ins > MFT> Browse

Add or update configurations for your integration with Control-M MFT:

  • config server:agent:mft:ssh:key::generate

  • config server:agent:mft:ssh:ssh:host::authorize

  • config server:agent:mft:ssh:cluster::authorize

  • config server:agent:mft:pgpTemplate::add

  • config server:agent:mft:pgpTemplate::update

  • config server:agent:mft:zostemplate::add

  • config server:agent:mft:zostemplate::update

  • config server:agent:mft:fts:settings::update

  • config server:agent:mft:configuration::update

Configuration > Plug-ins > MFT> Update

Delete configurations from the integration with Control-M MFT:

  • config server:agent:mft:pgpTemplate::delete

  • config server:agent:mft:zostemplate::delete

Configuration > Plug-ins > MFT> Full

Provision agents and plug-ins:

  • provision agent::setup

  • provision agent::install

Configuration > Agents > Update

Access details of "run as" users:

  • config server:runasuser::get

  • config server:runasuser::test

  • config server:runasusers::get

Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition > Browse

Add or update "run as" users:

  • config server:runasuser::add

  • config server:runasuser::update

Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition > Update

Delete a "run as" user:

  • config server:runasuser::delete

Configuration > More (Users, Roles, Run as and Admin) > Access level to the "Run as" definition > Full

Manage host groups (groups of agents):

  • config server:hostgroups::get

  • config server:hostgroup:agents::get

  • config server:hostgroup:agent::add

  • config server:hostgroup:agent::delete

  • config server:hostgroup::update

  • config server:hostgroup::delete

Configuration > More (Users, Roles, Run as and Admin) > Advanced admin authorizations > on

Access details of roles, users, and LDAP groups:

  • config authorization:role::get

  • config authorization:roles::get

  • config authorization:user::get

  • config authorization:users::get

  • config authorization:ldap:roles::get

  • config authorization:role:associates

  • config authorization:user:effectiverights::get

Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Browse

Manage authorizations of roles, users, and LDAP groups:

  • config authorization:role::add

  • config authorization:role::update

  • config authorization:user::add

  • config authorization:user::update

  • config authorization:user:role::add

  • config authorization:user:role::delete

  • config authorization:ldap:role::add

  • config authorization:ldap:role::delete

Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Update

Delete authorizations of roles and users:

  • config authorization:role::delete

  • config authorization:user::delete

Configuration > More (Users, Roles, Run as and Admin) > Users & Roles > Full

Authorizations for Building and Deploying Definitions of Jobs and Job-related Objects

The following table lists the minimum authorizations that a role needs for building and deploying definitions of jobs and job-related objects using the Build Service and Deploy Service. You access these authorization settings through Role settings in Helix Control-M, on the Access control tab.

API functions and commands

Required authorization level

Build job definitions:

  • build

No special authorization required beyond the Authorizations for API Access and Authentication

Retrieve deployed definitions, with different API commands for the various types of objects:

  • deploy jobs::get

  • deploy calendars::get

  • deploy sitestandard:fieldRestriction::get

  • deploy ai:jobtypes::get

  • deploy connectionprofiles:centralized::get

  • deploy connectionprofiles:centralized:status::get

  • deploy connectionprofile:centralized::deploymentstatus

Depending on the type of object:

  • Planning > Folders > Browse

  • Tools > Site Standards > Browse

  • Tools > Calendars > Browse

  • Tools > Application Integrator > Full

  • Configuration > Connection Profiles > Browse

Deploy job definitions:

  • deploy

  • deploy ai:jobtype

  • deploy sitestandard:fieldRestriction::replaceValues

Depending on the objects included in the definitions file:

  • Planning > Folders > Update

  • Planning > Run as > Specify 'Run as' pattern and Agent/Host Group

  • Tools > Site Standards > Update

  • Tools > Calendars > Update

  • Tools > Application Integrator > Full

  • Configuration > Connection Profiles > Full to create new connection profiles

    or

    Configuration > Connection Profiles > Update to modify existing connection profiles

Delete objects:

  • deploy folder::delete

  • deploy calendar::delete

  • deploy connectionprofile:centralized::delete

Depending on the type of object:

  • Planning > Folders > Full

  • Tools > Calendars > Full

  • Configuration > Connection Profiles > Full

Authorizations for Running Jobs and Managing Job-related Objects

The following table lists the minimum authorizations that a role needs for running jobs and managing job-related objects using the Run Service. You access these authorization settings through Role settings in Helix Control-M, on the Access control tab.

API functions and commands

Run jobs and folders:

  • run

  • run order

Planning > Folders > Update, with additional Order option selected

+

Planning > Run as, for defined "Run as" names or patters

Access job status:

  • run status

  • run job::get

  • run jobs:status::get

  • run job:status::get

  • run job:output::get

  • run job:log::get

  • run job:statistics::get

Monitoring > Job permissions, with the relevant View options selected

Perform job actions:

  • run job::confirm

  • run job::delete

  • run job::free

  • run job::hold

  • run job::kill

  • run job::rerun

  • run job::runNow

  • run job::setToOk

  • run job::undelete

Monitoring > Job permissions, with the relevant Actions options selected

Manage variables:

  • run variables::get

Planning > Pool Variables > Browse

  • run variables::set

Planning > Pool Variables > Update

  • run variables::delete

Planning > Pool Variables > Full

Manage events:

  • run events::get

Tools > Events > Browse

  • run event::add

Tools > Events > Update

  • run event::delete

Tools > Events > Full

Manage services:

  • run services:sla::get

Monitoring > Service permissions, with specification of services and optional job drill-down

Manage resources:

  • run resources::get

Tools > Resource Lock >Browse

Tools > Resource Pool > Browse

  • run resource::add

  • run resource::update

Tools > Resource Lock >Update

Tools > Resource Pool > Update

  • run resource::delete

Tools > Resource Lock >Full

Tools > Resource Pool > Full