Authorization Configuration

The config authorization service enables you to manage the authorizations of roles and users, as well organization groups and users (such as LDAP or IdP groups and users), limiting their access to various Control-M entities and actions.

You can configure authorizations with the following API commands:

If you enable a SAML2 identity provider for Single Sign On (SSO) authentication, certain user authorization management actions are no longer relevant and cannot be performed. These include adding, updating, or deleting a user, as well as getting user details.

Role Configuration

The following API commands are available for the configuration of role authorizations:

config authorization:role::add

The config authorization:role::add command enables you to create a new role based on role settings that you define through a role data file.

CLI Syntax

Copy 
ctm config authorization:role::add <roleFile>

where roleFile is the full path and name of a .json payload file that contains role definitions, as described in Role Definitions File.

If annotation is enabled for the Account Management category in Control-M, you must also provide an annotation to justify your action. For more information, see Annotation Input.

REST API Syntax

cURL:

Copy 
curl -H "x-api-key: $token" -F "roleFile=@roleDefinition.json"
-X POST $endpoint/config/authorization/role

config authorization:role::get

The config authorization:role::get command enables you to get the details of an existing role, as defined in the role data file.

Only parameters that are set to non-default values are retrieved and displayed in the output.

For similar details for a user, calculated from all associated roles, see config authorization:user:effectiverights::get.

CLI Syntax

Copy 
ctm config authorization:role::get <role>

where role is the name of the role.

REST API Syntax

cURL:

Copy 
roleName=myRole
curl -H "x-api-key: $token"
"$endpoint/config/authorization/role/$roleName"

config authorization:role::update

The config authorization:role::update command enables you to update the definitions of an existing role based on role settings that you define through a role data file.

You cannot make changes in the Admin role that is provided out-of-the-box in Helix Control-M.

Besides applying all settings that are explicitly defined in the role data file, the Update process also sets all remaining settings to default values. Therefore, as a best practice, perform the following sequence of steps:

Begin

  1. Obtain ALL current role settings by running the config authorization:role::get command.

  2. Use the output from the previous step to create your role data file, a .json file.

  3. In the role data file, change the specific settings that you want to update, and keep all other content in the file.

    For full details about all role settings, see Role Definitions File.

  4. Proceed with running the Update command.

CLI Syntax

Copy 
ctm config authorization:role::update <role> <roleFile>

The following table describes the config authorization:role::update command parameters.

Parameter

Description

role

Name of the role that you want to update.

roleFile

Full path and name of a .json payload file that contains role definitions, as described in Role Definitions File.

If annotation is enabled for the Account Management category in Control-M, you must also provide an annotation to justify your action. For more information, see Annotation Input.

REST API Syntax

cURL:

Copy 
roleName=myRole
curl -H "x-api-key: $token" -F "roleFile=@roleDefinition.json"
-X POST "$endpoint/config/authorization/role/$roleName"

config authorization:role::delete

The config authorization:role::delete command enables you to delete an existing role and disassociates all users who were associated with the role.

Before deleting a role, use the config authorization:role::get command to identify the Agent tag(s) with which it is associated. After deleting the role, it is recommended that you refresh any Agent tokens that are associated with the Agent tag(s) that you identified. For more information, see Generating an Agent Token.

You cannot delete the Admin role that is provided out-of-the-box in Helix Control-M.

CLI Syntax

Copy 
ctm config authorization:role::delete <role>

where role is the name of the role.

If annotation is enabled for the Account Management category in Control-M, you must also provide an annotation to justify your action. For more information, see Annotation Input.

REST API Syntax

cURL:

Copy 
roleName=myRole
curl -H "x-api-key: $token" -X DELETE "$endpoint/config/authorization/role/$roleName"

config authorization:roles::get

The config authorization:roles::get command enables you to get a list of names of configured roles.

CLI Syntax

Copy 
ctm config authorization:roles::get [-s <search query>]

The optional -s switch can be used to filter for roles by role name or description (or both). The format for the query string is "field1=criteria1&field2=criteria2", according to the following guidelines:

Fields

Criteria

Examples

  • role

  • description

  • Use * or ? for wildcards.

  • Use , to specify multiple values for a field.

  • "description=Ad*"

  • "role=AdminRole&description=Ad*"

  • "role=AdminRole,OperatorRole"

If you include multiple fields in the query, separate them with an &.

REST API Syntax

cURL:

Copy 
roleName=Adm*
curl -H "x-api-key: $token" $endpoint/config/authorization/roles?role=$roleName

config authorization:role:associates

The config authorization:role:associates command enables you to get a list of all users, organization users, and organization groups to which a specific role is associated.

CLI Syntax

Copy 
ctm config authorization:role:associates <role>

where role is the name of the role.

REST API Syntax

cURL:

Copy 
roleName=myRole
curl -H "x-api-key: $token" $endpoint/config/authorization/role/$roleName/associates

Response

The following sample response shows 3 associations with a role: 1 organization user, 1 organization group (an LDAP group), and 1 Control-M user.

Copy 
[
{
   "type": "orguser",
   "name": "orgUser"
},
{
   "type": "ldapgroup",
   "name": "AdminGroup"
},
{
   "type": "user",
   "name": "Bob"
}
]

Role Definitions File

The following code sample shows the available objects that you can include within a payload JSON file that contains role definitions. Details about each of these objects and their properties are provided below.

Copy 
{
    "Name": "AdminRole",
    "Description": "Administration role",
    "OrganizationGroups": ["idp1", "idp2"],
    "OrganizationUsers": ["usr1", "usr2"], 
    "AllowedJobs": {
        "Included": [
           [["Folder", "like", "a*"], ["JobName", "like", "c*,d*"]],
           [["Folder", "like", "b*"], ["JobName", "like", "e*,f*"}]
        ]
    },
    "AllowedJobActions": {
        "ViewProperties": true,
        "SetToOk": true,
        "Documentation": true,
        "Confirm": true,
        "Log": true
    },
    "Privileges": {
        "ClientAccess": {
           "ApplicationIntegratorAccess": "None"
           },
        "ConfigurationManager": {
           "Authorization": "Browse",
           "Configuration": "Full",
            "ControlmSecurity": "Full"
           }   
    },
    "Folders": [{
        "Privilege": "Full",
        "ControlmServer":  "*",
        "Folder": "ccc*",
        "Run": true
    }],
    "Calendars": [{
        "Privilege": "Full",
        "ControlmServer": "*",
        "Name": "bbb*"
    }],
    "RunasUsers": [{
        "ControlmServer": "*",
        "RunasUser": "aaa*",
        "Host": "bbb*"
    }],
    "SiteStandard": [{
        "Privilege": "Full",
        "Name": "*"
    }],
    "SiteCustomization": [{
        "Privilege": "Full",
        "Name": "*"
    }],
    "Services": [{
        "Privilege": "Full",
        "Name": "*",
        "AllowedActions":
            {"DrillDown": true}
    }],
    "Events": [{
        "Privilege": "Full",
        "ControlmServer": "*",
        "Name": "*"
    }],
    "Locks": [{
        "Privilege": "Full",
        "ControlmServer": "*",
        "Name": "*"
    }],
    "Pools": [{
        "Privilege": "Full",
        "ControlmServer": "*",
        "Name": "*"
    }],
    "Variables" : [ {
        "Privilege" : "Full",
        "Name" : "*"
    }],
    "AgentManagement": [
      {
        "ControlmServer": "*",
        "Agent": "agent3",
        "Privilege": "Browse"
      },
      {
        "ControlmServer": "*",
        "Agent": "agent4",
        "Privilege": "Update"
      }
    ],
    "PluginManagement": [
      {
        "ControlmServer": "*",
        "Agent": "agent3",
        "PluginType": "SAP",
        "Privilege": "Browse"
      },
      {
        "ControlmServer": "*",
        "Agent": "agent4",
        "PluginType": "DATABASE",
        "Privilege": "Update"
      }
    ],
    "ConnectionProfileManagement": [
      {
        "ControlmServer": "*",
        "Agent": "agent3",
        "PluginType": "SAP",
        "Name": "cpp3*",
        "Privilege": "Browse"
      },
      {
        "ControlmServer": "*",
        "Agent": "agent4",
        "PluginType": "HADOOP",
        "Name": "cpp4*",
        "Privilege": "Update"
      }
    ],
    "RunasDefinitionManagement": [
      {
        "ControlmServer": "*",
        "Privilege": "Browse"
      }
    ]
}

General Role Settings

The following table describes the general role properties for the role that you are define.

Property

Description

Name

A unique name for the role (required property).

Description

An optional textual description of the role.

OrganizationGroups

A list of organization groups (such as LDAP groups or IdP groups) with which the role is associated.

OrganizationUsers

A list of organization users (such as LDAP users or IdP users) with which the role is associated.
Copy 
"Name": "AdminRole",
"Description": "Administration role",
"OrganizationGroups: ["idp1", "idp2"],
"OrganizationUsers": ["usr1", "usr2"],

AllowedJobs

Grants the role browse access to the output of jobs that you specify using include filters.

Copy 
"AllowedJobs": {
    "Included": [
       [["Folder", "like", "a*"], ["JobName", "like", "c*,d*"]],
       [["Folder", "like", "b*"], ["JobName", "like", "e*,f*"}]
    ]
}

The Included object under AllowedJobs lists filters for jobs that the role is authorized to access.

In this list, you can include one or more filters. An implied OR logical operator connects between the various filters.

Each filter can include multiple conditions, with an implied AND logical operator connecting between the conditions. A condition is a pattern-matching expression that detects jobs according to a specific job property. A condition has the following format:

["jobProperty", "operator", "value"]

The following table provides guidelines for specifying the various elements within the filter condition.

Job Property

Operator

Value

The following properties are available:

  • Application

  • ApplicationType

  • Folder

  • Host (of the Agent)

  • JobName

  • OrderDate

  • Runas

  • SubApplication

Choose one of the following:

  • eq: (equals).

  • ne (does not equal).

  • ge (greater than or equals).

  • le (less than or equals).

  • like

Specify an appropriate string as the property value.

For multiple values, you can use commas (,).

If using the like operator, you can also use wildcards (* or ?).

AllowedJobActions

Authorizes the role to perform specific actions (browse actions, control actions, or update actions) on the jobs filtered through the AllowedJobs object and the folders specified through the Folders object.

Copy 
"AllowedJobActions": {
    "ViewProperties": true,
    "SetToOk": true,
    "Documentation": true,
    "Confirm": true,
    "Log": true
}

Under the AllowedJobsActions object, you define which job actions the role is authorized to perform. Each action is set to either true (allowed) or false (not allowed). The default is false.

The following table lists all available job actions. For your convenience, the actions in this table are divided into categories — Browse actionsand Control actions.

Browse Actions

Control Actions

  • Documentation

  • Log

  • ViewProperties

  • Statistics

  • ViewOutputList

  • Why

  • Bypass

  • Confirm

  • Delete

  • EditProperties

  • Free

  • Hold

  • Kill

  • Rerun

  • SetToOk

  • Undelete

Privileges

Grants the role access to various Helix Control-M components, utilities, and tools, and authorizes the role to perform actions through these tools based on the defined access levels.

Copy 
"Privileges": {
    "ClientAccess": {
       "ApplicationIntegratorAccess": "Full"
       },
    "ConfigurationManager": {
       "Authorization": "Browse",
       "Configuration": "Full",
       "ControlmSecurity": "Full"
       }   
}

Under the Privileges object, various Helix Control-M features and capabilities are categorized and grouped together under the following next-level objects:

  • ClientAccess

  • ConfigurationManager

  • Monitoring

The following table lists all the product features and capabilities in these categories, and provides details of the authorization levels that are available for each feature. The default authorization for all features is None.

Helix Control-M Feature

(Divided by Category)

Description

 

Available Authorizations

Full

Update

Browse

None

ClientAccess

ApplicationIntegratorAccess

Access Control-M Application Integrator

Yes

Yes

Yes

Yes

AutomationAPIAccess

Access Control-M Automation API

Yes

No

No

Yes

ConfigurationManager

Authorization

Manage authorizations of users and roles.

Yes

Yes

Yes

Yes

Configuration

Advanced admin management of configurations*.

Yes

No

No

Yes

ControlmSecurity

Advanced admin management of Helix Control-M security*.

Yes

No

No

Yes

Monitoring

Alert

Manage alerts.

Yes

Yes

Yes

Yes

* Configuration and ControlmSecurity must be set to the same authorization level. If these features are set to Full, all RBA settings (AgentManagement, PluginManagement, ConnectionProfileManagement, and RunasDefinitionManagement) are regarded as set to Full for all items of each type.

Folders

Grants the role access to specific folders, along with an authorization level for each folder. Also enables you to grant different authorizations per job within a specific folder based on Application or Sub Application criteria.

Copy 
"Folders": [{
    "Privilege": "Full",
    "ControlmServer":  "*",
    "Folder": "ccc*",
    "Run": true
}]

The following table describes the Folders object properties.

Property

Description

Privilege

Level of authorization to assign for the specified folder (or folders) — Full, Update, or Browse.

This property is required.

ControlmServer

Name of (one or more) Server that processes jobs.

This property is optional if you specify a value for Folder (the next property).

Folder

Name of folder or folders.

This property is optional if you specify a value for ControlmServer (the previous property).

Run

Whether users associated with the role can run specific folders — true or false.

This option is independent of the access levels that you set through Privileges. You can enable associated users to run folders on all access levels.

This option also determines whether associated users can use the Run option in the Monitoring domain in Control-M.

For properties that support multiple values (ControlmServer, Folder, Application, and SubApplication), you can use , (commas) or wildcards (such as * or ?).

Calendars

Associates specific calendars in Control-M with the role, along with an authorization level for each calendar.

Copy 
"Calendars": [{
    "Privilege": "Full",
    "ControlmServer": "*",
    "Name": "bbb*"
}]

The following table describes the Calendars object properties.

Property

Description

Privilege

Level of authorization to assign for the specified calendar (or calendars) —Full, Update, or Browse.

This property is required.

ControlmServer

Name of (one or more) Server that processes jobs.

If this property is not defined, privileges are granted for the specified calendar (next property) on all Servers in the environment.

Name

Name of calendar or calendars.

If this property is not defined, privileges are granted for all calendars on the specified Server (previous property).

For properties that support multiple values (ControlmServer and Name), you can use commas (,) or wildcards (such as * or ?).

RunasUsers

Associates "run as" users with the role, for running jobs on an Agent.

For a role's RunasUser definitions to take effect on jobs in a folder, the same role must be granted sufficient folder privileges — either Full or Update privileges must be granted to the relevant Folders.

Copy 
"RunasUsers": [{
    "ControlmServer": "*",
    "RunasUser": "aaa*",
    "Host": "bbb*"
}]

The following table describes the RunasUsers object properties.

Property

Description

ControlmServer

Name of (one or more) Server that processes jobs.

RunasUser

Name of "run as" user(s) to be granted authorization to execute jobs.

Host

Name of an Agent computer, remote host computer, or host group where jobs are submitted.

You must define at least one of these properties. Once one property is defined, the implied value for any other undefined property is "*".

For multiple values in any of these properties, you can use , and wildcards (such as * or ?).

You might also want to specify values to be excluded.

To exclude user names root or Oracle, type the following:

"RunasUser": "!(root|Oracle)"

SiteStandard

Associates specific Site Standards with the role, along with an authorization level for each one.

Site Standards are collections of settings that are applied to folders and jobs to ensure that web users follow organization standards.

Copy 
"SiteStandard": [{
    "Privilege": "Full",
    "Name": "*"
}]

The following table describes the SiteStandard object properties. All parameters are required.

Property

Description

Privilege

Level of authorization to assign for the specified site standard(s) — Full, Update, or Browse.

Name

Name of site standard(s).

For multiple values, you can use commas (,) or wildcards (such as * or ?).

SiteCustomization

Associates specific Site Customizations (also known as user views) with the role, along with an authorization level for each one.

Site Customizations are collections of settings that are applied to jobs to limit web users' access to job properties or to restrict the types of jobs that web users can create.

Copy 
"SiteCustomization": [{
    "Privilege": "Full",
    "Name": "*"
}]

The following table describes the SiteCustomization object properties. All parameters are required.

Property

Description

Privilege

Level of authorization to assign for the specified site customization(s) — Full, Update, or Browse.

Name

Name of site customization(s).

For multiple values, you can use commas (,) or wildcards (such as * or ?).

Services

Grants the role authorization to view services and to perform job actions, order, hold, and release services.

A service is a group of jobs that are aggregated based on various job filtering criteria.

Copy 
"Services": [{
    "Privilege": "Full",
    "Name": "*",
    "AllowedActions":
        {"DrillDown": true}
}]

The following table describes the Services object properties.

Property

Description

Privilege

Level of authorization to assign for the specified service(s) — Full, Update, Browse, or None.

This property is required.

Name

Name of service(s).

For multiple values, you can use commas (,) or wildcards (such as * or ?).

This property is required.

AllowedActions

Actions that the role is authorized to perform on the service(s).

Currently, the only action that you can specify is DrillDown, that is, the ability to drill down when viewing jobs.

Specify the DrillDown action as a next-level property, and set it to a Boolean value — either true or false.

The default (if the property is not defined) is false.

Events

Grants the role authorization to manage events, by associating specific events with the role and assigning an authorization level to each one.

Copy 
"Events": [{
    "Privilege": "Full",
    "ControlmServer": "*",
    "Name": "*"
}]

The following table describes the Events object properties.

Property

Description

Privilege

Level of authorization to assign for the specified event(s) — Full, Update, or Browse.

This property is required.

ControlmServer

Name of (one or more) Server that processes jobs.

If this property is not defined, privileges are granted for the specified event (next property) on all Servers in the environment.

Name

Name of event(s).

If this property is not defined, privileges are granted for all events on the specified Server (previous property).

For properties that support multiple values (ControlmServer and Name), you can use commas (,) or wildcards (such as * or ?).

Locks

Grants the role authorization to manage locks (previously known as control resources or mutexes), by associating specific locks with the role and assigning an authorization level to each one.

Copy 
"Locks": [{
    "Privilege": "Full",
    "ControlmServer": "*",
    "Name": "*"
}]

The following table describes the Locks object properties.

Property

Description

Privilege

Level of authorization to assign for the specified lock (or locks) — Full, Update, or Browse.

This property is required.

ControlmServer

Name of (one or more) Server that processes jobs.

If this property is not defined, privileges are granted for the specified lock (next property) on all Servers in the environment.

Name

Name of lock or locks.

If this property is not defined, privileges are granted for all locks on the specified Server(previous property).

For properties that support multiple values (ControlmServer and Name), you can use commas (,) or wildcards (such as * or ?).

Pools

Grants the role authorization to manage pools (previously known as quantitative resources or semaphores), by associating specific pools with the role and assigning an authorization level to each one.

Copy 
"Pools": [{
    "Privilege": "Full",
    "ControlmServer": "*",
    "Name": "*"
}]

The following table describes the Pools object properties.

Property

Description

Privilege

Level of authorization to assign for the specified pool (or pools — Full, Update, or Browse.

This property is required.

ControlmServer

Name of (one or more) Server that processes jobs.

If this property is not defined, privileges are granted for the specified pool (next property) on all Servers in the environment.

Name

Name of pool or pools.

If this property is not defined, privileges are granted for all pools on the specified Server (previous property).

For properties that support multiple values (ControlmServer and Name), you can use commas (,) or wildcards (such as * or ?).

Variables

Associates specific variables with the role, along with an authorization level for each one.

Variables enable automatic assignment of dynamic environmental values to the execution parameters of jobs.

Copy 
"Variables": [{
    "Privilege": "Full",
    "Name": "*"
}]

The following table describes the mandatory Variables object properties.

Property

Description

Privilege

Level of authorization to assign for the specified variable(s)—Full, Update, or Browse.

Name

Name of variable(s).

For multiple values, you can use commas (,) or wildcards (such as * or ?).

AgentManagement

Grants the role authorization to manage agents and perform administrative tasks on agents (such as connect an Agent to a Server or configure agent parameters).

This object is used in Role-Based Administration (RBA), enabling an administrator to grant non-administrator roles permission to perform certain administrative tasks.

Copy 
"AgentManagement": [
  {
     "ControlmServer": "*",
     "Agent": "agent3",
     "Privilege": "Browse"
  },
  {
     "ControlmServer": "*",
     "Agent": "agent4",
     "Privilege": "Update"
  }
]

The following table describes the AgentManagement object properties for each specified Agent.

Property

Description

ControlmServer

Name of a Server that is associated with the Agent.

Agent

A tag that identifies the agent and serves as its logical name.

Privilege

Level of authorization to assign for the specified Agent — Full, Update, or Browse.

For properties that support multiple values (ControlmServer and Agent), you can use wildcards (such as * or ?).

If you turn on advanced admin authorizations by setting the Configuration and ControlmSecurity features to Full under the Privileges object and ConfigurationManager category, AgentManagement is automatically regarded as set to Full for all agents. In this case, set the ControlmServer and Agent properties to "*", and set Privilege to Full.

PluginManagement

Grants the role authorization to manage Control-M plug-ins and perform administrative tasks on plug-ins (such as plug-in configuration).

This object is used in Role-Based Administration (RBA), enabling an administrator to grant non-administrator roles permission to perform certain administrative tasks.

Copy 
"PluginManagement": [
  {
    "ControlmServer": "*",
    "Agent": "agent3",
    "PluginType": "SAP",
    "Privilege": "Browse"
  },
  {
    "ControlmServer": "*",
    "Agent": "agent4",
    "PluginType": "DATABASE",
    "Privilege": "Update"
  }
]

The following table describes the PluginManagement object properties for, each specified plug-in.

Property

Description

ControlmServer

Name of a Server that is associated with an Agent.

Agent

A tag that identifies the Agent and serves as its logical name.

PluginType

The type of Control-M plug-inthat you have installed in your Control-M environment and to which this role is granted access:

Plug-in Full Name

Plug-in Type Value

Control-M Managed File Transfer

FILE_TRANS

Control-M for Databases

DATABASE

Control-M for SAP

SAP

Control-M for Informatica

ETL_INFA

Control-M for Hadoop

HADOOP

Control-M Application Integrator

dynamic, dependent on user definitions

Control-M for AWS

AmazonEC2

Control-M for Azure

AZURE

For more information, see the list in Plug-ins.

Privilege

Level of authorization to assign for the specified plug-in—Full, Update, or Browse.

For properties that support multiple values (ControlmServer, Agent, and PluginType), you can use wildcards (such as * or ?).

ConnectionProfileManagement

Grants the role authorization to manage connection profiles and perform administrative tasks on connection profiles (such as create, update, or delete a connection profile).

This object is used in Role-Based Administration (RBA), enabling an administrator to grant non-administrator roles permission to perform certain administrative tasks.

Copy 
"ConnectionProfileManagement": [
  {
    "ControlmServer": "*",
    "Agent": "agent3",
    "PluginType": "SAP",
    "Name": "cpp3*",
    "Privilege": "Browse"
  },
  {
    "ControlmServer": "*",
    "Agent": "agent4",
    "PluginType": "HADOOP",
    "Name": "cpp4*",
    "Privilege": "Update"
  }
]

The following table describes the ConnectionProfileManagement object properties for each specified connection profile.

Property

Description

ControlmServer

Name of a Server that is associated with an Agent.

For a centralized connection profile, specify a value of "*" (all Servers).

Agent

A tag that identifies the agent and serves as its logical name.

For a centralized connection profile, specify a value of "*" (all agents).

PluginType

The type of Control-M plug-in that you have installed in your Control-M environment and to which this role is granted access.

For a list of values, see the corresponding property under PluginManagement.

For more information, see the list in Plug-ins.

Name

Name or name pattern of the connection profile.

Privilege

Level of authorization to assign for the specified connection profile — Full, Update, or Browse.

For properties that support multiple values (ControlmServer, Agent, PluginType, and Name), you can use wildcards (such as * or ?).

If you turn on advanced admin authorizations by setting the Configuration and ControlmSecurity features to Full under the Privileges object and ConfigurationManager category, ConnectionProfileManagement is automatically regarded as set to Full for all connection profiles. In this case, set the ControlmServer, Agent PluginType, and Name properties to "*", and set Privilege to Full.

RunasDefinitionManagement

Grants the role authorization to manage the configuration of "run as" users (that is, to perform administrative tasks such as create, update, or delete a "run as" user).

This object is used in Role-Based Administration (RBA), enabling an administrator to grant non-administrator roles permission to perform certain administrative tasks.

Copy 
"RunasDefinitionManagement": [
  {
    "ControlmServer": "*",
    "Privilege": "Browse"
  }
]

The following table describes the RunasDefinitionManagement object properties for each authorization.

Property

Description

ControlmServer

Name of a Server.

To specify a pattern, use an asterisk wildcard or any other supported character. 

Privilege

Level of authorization to assign for configuration of "run as" users on this Server — Full, Update, or Browse.

If you turn on advanced admin authorizations by setting the Configuration and ControlmSecurity features to Full under the Privileges object and ConfigurationManager category, RunasDefinitionManagement is automatically regarded as set to Full. In this case, set the ControlmServer property to "*" and Privilege to Full.

User Configuration

The following API commands are available for the configuration of user authorizations:

config authorization:user::add

The config authorization:user::add command enables you to create a new user based on user settings that you define through a user data file.

CLI Syntax

Copy 
ctm config authorization:user::add <userFile>

where <userFile> is the full path and name of a .json payload file that contains user definitions, as described in User Definitions File.

If annotation is enabled for the Account Management category in Control-M, you must also provide an annotation to justify your action. For more information, see Annotation Input.

REST API Syntax

cURL:

Copy 
curl -H "x-api-key: $token" -F "userFile=@userDefinition.json"
-X POST $endpoint/config/authorization/user

config authorization:user::get

The config authorization:user::get command enables you to get the details of an existing user (user name and associated roles), as defined in the user data file.

CLI Syntax

Copy 
ctm config authorization:user::get <user>

where <user> defines the username.

REST API Syntax

cURL:

Copy 
userName=myUser
curl -H "x-api-key: $token" "$endpoint/config/authorization/user/$userName"

config authorization:user::update

The config authorization:user::update command enables you to update the definitions of an existing user based on user settings that you define through a user data file.

CLI Syntax

Copy 
ctm config authorization:user::update <user> <userFile>

where <user> defines the username that you want to update, and <userFile> is the full path and name of a .json payload file that contains user definitions, as described in User Definitions File.

Note that you cannot update the username.

If annotation is enabled for the Account Management category in Control-M, you must also provide an annotation to justify your action. For more information, see Annotation Input.

REST API Syntax

cURL:

Copy 
userName=myuser
curl -H "x-api-key: $token" -F "userFile=@userDefinition.json"
-X POST "$endpoint/config/authorization/user/$userName"

config authorization:user::delete

The config authorization:user::delete command enables you to delete an existing user and disassociates it from all roles with which it was associated.

Before deleting a user, use the config authorization:user::get command to identify the roles with which it is associated. For each associated role, use the config authorization:role::get command to identify the Agent tag(s) with which it is associated. After deleting the user, it is recommended that you refresh any Agent tokens that are associated with the Agent tag(s) that you identified. For more information, see Generating an Agent Token.

CLI Syntax

Copy 
ctm config authorization:user::delete <user>

where <user> defines the username.

If annotation is enabled for the Account Management category in Control-M, you must also provide an annotation to justify your action. For more information, see Annotation Input.

REST API Syntax

cURL:

Copy 
userName=myuser
curl -H "x-api-key: $token" -X DELETE "$endpoint/config/authorization/user/$userName"

config authorization:users::get

The config authorization:users::get command enables you to get a list of names of configured users.

CLI Syntax

Copy 
ctm config authorization:users::get [-s <search query>]

The optional -s switch can be used to filter for users by user name. The format for the query string is "name=userName".

Use * (asterisks) or ? (question marks) for wildcards. Use , (commas) to specify multiple usernames.

REST API Syntax

cURL:

Copy 
userName=emuser*
curl -H "x-api-key: $token" $endpoint/config/authorization/users?name=$userName

config authorization:user:effectiverights::get

The config authorization:user:effectiverights::get command enables you to get details regarding the authorizations and privileges that are in effect for the logged-in user. A user's effective rights are calculated based on the authorizations defined in the various roles that are associated with that user.

  • Only parameters that are set to non-default values are retrieved and displayed in the output.

  • For similar details for any specific role, see config authorization:role::get.

CLI Syntax

Copy 
ctm config authorization:user:effectiverights::get

REST API Syntax

cURL:

Copy 
curl -H "x-api-key: $token"
"$endpoint/config/authorization/user/effectiverights"

User Definitions File

The following code sample shows the definitions of a Helix Control-M user in the payload JSON file:

Copy 
{
   "Name": "jdoe_1@company.com",
   "Roles": [
      "Admin",
      "TeamLeader"
   ]
}

The following table describes the User Definitions File objects or properties.

Object or Property

Description

Name

Defines the email address that identifies the authorized user.

Roles

Lists the roles associated with the authorized user.

Organization Group and Organization User Configuration

The following API commands are available for the configuration of authorizations for organization groups and organization users:

config authorization:organizationgroup:roles::get

The config authorization:organizationgroup:roles::get command enables you to get a list of roles that are associated with a specific organization group (such as an LDAP group or IdP group).

CLI Syntax

Copy 
ctm config authorization:organizationgroup:roles::get <organizationGroup> [-s "role=<query pattern>"]

The following table describes the config authorization:organizationgroup:roles::get command parameters.

Parameter

Description

organizationGroup

Name of organizational group, such as an LDAP group or IdP group.

query pattern

(Optional) A pattern for filtering role names. The pattern contains a wildcard (* or ?). For multiple patterns in the same query, use , (commas).

REST API Syntax

cURL:

Copy 
roleName=myRole
organizationGroup=myGroup
curl -H "x-api-key: $token" $endpoint/config/authorization/organizationgroup/$organizationGroup/roles?role=$roleName

config authorization:organizationgroups::get

The config authorization:organizationgroups::get command enables you to get a list of all organization groups (such as LDAP groups or IdP groups) that are associated with any of the defined roles.

CLI Syntax

Copy 
ctm config authorization:organizationgroups::get

REST API Syntax

cURL:

Copy 
curl -H "x-api-key: $token" $endpoint/config/authorization/organizationgroups

config authorization:organizationuser:roles::get

The config authorization:organizationuser:roles::get command enables you to get a list of roles that are associated with a specific organization user (such as an LDAP user or IdP user).

CLI Syntax

Copy 
ctm config authorization:organizationuser:roles::get <organizationUser> [-s "role=<query pattern>"]

The following table describes the config authorization:organizationuser:roles::get command parameters.

Parameter

Description

organizationUser

Name of organizational user, such as an LDAP user or IdP user.

query pattern

(Optional) A pattern for filtering role names. The pattern contains a wildcard (* or ?). For multiple patterns in the same query, use , (commas).

REST API Syntax

cURL:

Copy 
roleName=myRole
organizationUser=user5
curl -H "x-api-key: $token"
$endpoint/config/authorization/organizationgroup/$organizationUser/roles?role=$roleName

config authorization:organizationusers::get

The config authorization:organizationusers::get command enables you to get a list of all organization users (such as LDAP users or IdP users) that are associated with any of the defined roles.

CLI Syntax

Copy 
ctm config authorization:organizationusers::get

REST API Syntax

cURL:

Copy 
curl -H "x-api-key: $token" $endpoint/config/authorization/organizationusers

config authorization:ldap:role::add (Deprecated)

The config authorization:ldap:role::add command enables you to add a role to an LDAP group (or SAML group), so that any user in the LDAP group will inherit the permissions and authorizations defined for the role.

Deprecated as of version 9.0.21. Replaced by use of the OrganizationGroups property in the role data file, as described in Role Definitions File.

CLI Syntax

Copy 
ctm config authorization:ldap:role::add <ldapGroup> <role>

The following table describes the config authorization:ldap:role::add command parameters.

Parameter

Description

ldapGroup

Name of LDAP group or SAML group.

role

Name of role.

REST API Syntax

cURL:

Copy 
roleName=myRole
ldapGroup=myGroup
curl -H "x-api-key: $token" -H "Content-Type: application/json"
-X POST "$endpoint/config/authorization/ldap/$ldapGroup/role/$roleName"

config authorization:ldap:role::delete (Deprecated)

The config authorization:ldap:role::delete command enables you to delete a role from an LDAP group (or SAML group).

Deprecated as of version 9.0.21. Replaced by use of the OrganizationGroups property in the role data file, as described in Role Definitions File.

CLI Syntax

Copy 
ctm config authorization:ldap:role::delete <ldapGroup> <role>

The following table describes the config authorization:ldap:role::delete command parameters.

Parameter

Description

ldapGroup

Name of LDAP group or SAML group.

role

Name of role.

REST API Syntax

cURL:

Copy 
roleName=myRole
ldapGroup=myGroup
curl -H "x-api-key: $token" -H "Content-Type: application/json"
-X DELETE "$endpoint/config/authorization/ldap/$ldapGroup/role/$roleName"

config authorization:ldap:roles::get (Deprecated)

The config authorization:ldap:roles::get command enables you to get a list of roles that are associated with a specific LDAP group (or SAML group).

Deprecated as of version 9.0.21. Replaced by Authorization Configuration.

CLI Syntax

Copy 
ctm config authorization:ldap:roles::get <ldapGroup> [-s "role=<query pattern>"]

The following table describes the config authorization:ldap:roles::get command parameters.

Parameter

Description

ldapGroup

Name of LDAP group or SAML group.

query pattern

(Optional) A pattern for filtering role names. The pattern contains a wildcard (* or ?). For multiple patterns in the same query, use , (commas).

REST API Syntax

cURL:

Copy 
roleName=myRole
ldapGroup=myGroup
curl -H "x-api-key: $token" $endpoint/config/authorization/ldap/$ldapGroup/roles?role=$roleName