Control-M Automation API Authorizations

Control-M enables you to control what users are authorized to view or change via Control-M Automation APIs and services, based on the roles and users that you define. The following tables summarize the required access control categories and levels for several API Operation.

You must define role authorizations in the Roles tab in the Configuration domain, as described in Adding a Role.

Authentication Service Authorizations

To use the Authentication service to create, update, delete, or get details of your own tokens, you must have the Automation API interface access category. You set this access category through the role definitions in the Configuration domain, on the General tab.

To use the Authentication service to control authentication tokens of other users, an administrator must have the following role access levels. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

API Operation

Access Control Category

Access Level

Retrieve Token Details

  • authentication token::get

  • authentication tokens::get

All:

Configuration > Admin Management > Authorizations/ Users & Roles

All:

Browse

Create or Update Tokens

  • authentication token::create

  • authentication token::update

All:

Configuration > Admin Management > Authorizations/ Users & Roles

All:

Update

Delete Tokens

authentication token::delete

All:

Configuration > Admin Management > Authorizations/ Users & Roles

All:

Full

Configuration Service Authorizations

The following table lists the role access levels required by the various API operations in the Config service. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

If the access levels are defined through Configuration > Admin Management differ from (that is, are higher or lower than) those defined in the other Configuration categories, such as Configuration > Agents or Configuration > Plug-ins, or Configuration > Run as Definition, then the definitions in Admin Management take precedence.

API Operation

Access Control Category

Access Level

Access Control-M/Server Details

  • config servers::get

All:

Configuration > Admin Management > Configuration

All:

Browse

Update Control-M/Servers

  • config server::update

All:

Configuration > Admin Management > Configuration

All:

Update

Delete Control-M/Servers

  • config server::delete

All:

Configuration > Admin Management > Configuration

All:

Full

Access Agent and Agentless Host Details

  • config server:agents::get

  • config server:agentlesshosts::get

All:

Configuration > Agents

All:

None

Access Agent Information

  • config server:agent::analysis

  • config server:agent:crt:expiration::get

  • config server:hostgroups:agents::get

All:

Configuration > Agents

All:

Browse

Access and Update Detailed Agent Configuration Information

  • config server:agent:params::get

  • config server:agent:param::set

  • config server:agentlesshost::get

  • config server:hostgroups::get

  • config server:hostgroup:agents::get

  • config server:hostgroup::update

All:

Configuration > Agents

All:

Full

Manage Agent Certificates

  • config server:agent:crt:expiration::get

  • config server:agent:csr::create

  • config server:agent:crt::deploy

  • config ca:server:agent:list::get

  • config ca:server:agent::add

  • config ca:server:agent::delete

All:

Configuration > Admin Management > Configuration

As Follows:

  • Browse

  • Browse

  • Browse

  • Browse

  • Update

  • Full

Add or Update Agents

  • config server:agent::add

  • config server:agent::update

  • config server:agent::disable

  • config server:agent::enable

  • config server:agent::ping

  • config server:agent:csr::create

  • config server:agent:crt::deploy

  • config server:hostgroup:agent::add

  • config server:agentlesshost::add

  • config item::recycle

All:

Configuration > Agents

All:

Update

Delete Agents and Agentless Hosts

  • config server:agent::delete

  • config server:agentlesshost::delete

  • config server:hostgroup:agent::delete

  • config server:hostgroup::delete

All:

Configuration > Agents

All:

Full

Access Run as User Configuration Information

  • config server:runasuser::get

  • config server:runasusers::get

  • config server:runasuser::test

All:

Configuration > Run as Definition

All:

Browse

Add or Update Run as Users

  • config server:runasuser::add

  • config server:runasuser::update

All:

Configuration > Run as Definition

All:

Update

Delete Run as User Configuration

config server:runasuser::delete

All:

Configuration > Run as Definition

All:

Full

Access Detailed Job Archiving Configuration

  • config archive:rules::get

  • config archive:statistics::get

All:

Configuration > Admin Management > Configuration

All:

Browse

Access Configurations for File Transfers Between Remote Hosts (Control-M MFT)

  • config server:agent:mft:pgptemplates::get

  • config server:agent:mft:zostemplates::get

  • config server:agent:mft:configuration::get

  • config server:agent:mft:fts:settings::get

All:

Configuration > Plug-ins

All:

Browse

Add or Delete Configurations for Control-M MFT

  • config server:agent:mft:pgptemplate::add

  • config server:agent:mft:pgptemplate::delete

  • config server:agent:mft:zostemplate::add

  • config server:agent:mft:zostemplate::delete

All:

Configuration > Plug-ins

All:

Full

Update Configurations for Control-M MFT

  • config server:agent:mft:pgptemplate::update

  • config server:agent:mft:zostemplate::update

  • config server:agent:mft:configuration::update

  • config server:agent:mft:fts:settings::update

All:

Configuration > Plug-ins

All:

Update

Manage SSH settings for Control-M MFT

  • config server:agent:mft:ssh:key::generate

  • config server:agent:mft:ssh:host::authorize

  • config server:agent:mft:ssh:cluster::authorize

All:

Configuration > Admin Management > Security

All:

Full

Access Details of Roles, Users, and LDAP Groups

  • config authorization:roles::get

  • config authorization:role::get

  • config authorization:users::get

  • config authorization:user::get

  • config authorization:user:effectiverights::get

  • config authorization:ldap:roles::get (Deprecated)

  • config authorization:role:associates

  • config authorization:organizationuser:roles::get

  • config authorization:organizationgroups::get

  • config authorization:organizationusers::get

  • config authorization:organizationuser:roles::get

All:

Configuration > Admin Management > Authorizations/ Users & Roles

All:

Browse

Manage Role, Users, and LDAP Group Authorizations

  • config authorization:role::add

  • config authorization:role::update

  • config authorization:user::add

  • config authorization:user::update

  • config authorization:ldap:role::add (Deprecated)

  • config authorization:ldap:role::delete (Deprecated)

All:

Configuration > Admin Management > Authorizations/ Users & Roles

For simulation functions, also:

Configuration > Admin Management > Configuration

All:

Update

Delete Role and User Authorization

  • config authorization:role::delete

  • config authorization:user::delete

All:

Configuration > Admin Management > Authorizations/ Users & Roles

All:

Full

Access System Settings Details

  • config systemsettings::get

  • config systemsettings:identityprovidermetadata::get

All:

Configuration > Admin Management > Configuration

All:

Browse

System Settings

config systemsettings::set

Configuration > Admin Management > Configuration

Full

Access Control-M Vault Secrets Details

config secrets::get

Tools > Secrets

Browse

Add or Update Control-M Vault Secrets

  • config secret::add

  • config secret::update

All:

Tools > Secrets

All:

Update

Delete Control-M Vault Secrets

config secret::delete

Tools > Secrets

Full

Provision Service Authorizations

The following table lists the role access levels required by the various API operations in the Provision service. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

If the access levels defined through Configuration > Admin Management differ from (that is, are higher or lower than) those defined in the other Configuration categories, such as Configuration > Agents or Configuration > Run as Definition, then the definitions in Admin Management take precedence.

API Operation

Access Control Category

Access Level

Provision Control-M/Servers

  • provision server::setup

  • provision server::install

All:

Configuration > Agents

and

Configuration > Run as Definition

All:

Update

Access Provisioned Agent Details

provision images

Configuration > Agents

Browse

Provision New Agents

  • provision saas:agent::setup

  • provision saas::install

  • provison image

  • provision agent::update

All:

Configuration > Agents

All:

Update

Undo Agent Provisions

  • provision image::remove

  • provision agent::uninstall

All:

Configuration > Agents

All:

Full

Build and Deploy Service Authorizations

The following table lists the role access levels required by the various API operations in the Build and Deploy services. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

If the access levels defined through Configuration > Admin Management differ from (that is, are higher or lower than) those defined in the other Configuration categories, such as Configuration > Connection Profiles, then the definitions in Admin Management take precedence.

API Operation

Access Control Category

Access Level

Build Job Definitions

build

Access tokens are enough.

Retrieve Deployed Job Definitions

deploy jobs::get

Planning > Folders and Jobs

Browse level on all retrieved folders

  • Server: All

  • Folder Name: *

  • Access Level: Browse

Deploy Control-M Objects Definitions

  • deploy

  • deploy poll

Planning > Folders and Jobs

Update level on all folders deployed

  • Server: All

  • Folder Name: *

  • Access Level: Update

Planning > Run as

Grant permission to write jobs that Run as use on specific hosts as required by all jobs deployed.

  • Server: All

  • Run as Name or Pattern: *

  • Agent/Host Group: *

Tools > Calendars

Update level on all calendars deployed

  • Server: All

  • Calendar Name: *

  • Access Level: Update

Tools > Site Standards

Update level for all site standards deployed.

Update level for site standard policies.

Configuration > Connection Profiles

Full level on all connection profiles deployed if you plan to create new connection profiles. Update level if you only want to modify existing connection profiles.

  • Server: All

  • Name: *

  • Access Level: Full or Update

Delete Deployed Objects

  • deploy folder::delete

  • deploy subfolder::delete

  • deploy job::delete

All:

Planning > Folders and Jobs

Full access level on all folders to delete

  • Server: All

  • Folder Name: *

  • Access Level: Full

Deploy AI Job Type

deploy ai:jobtype

Tools > Application Integrator

Full

Retrieve Deployed AI Job Type Details

deploy ai:jobtypes::get

Retrieve Deployed Calendar Definitions

deploy calendars::get

Tools > Calendars

Browse access level on all calendars to retrieve

  • Server: All

  • Calendar Name: *

  • Access Level: Browse

Delete Deployed Calendars

deploy calendar::delete

Tools > Calendars

Full access level on all calendars to delete

  • Server: All

  • Calendar Name: *

  • Access Level: Full

Retrieve Deployed Connection Profile Details

  • deploy connectionprofiles:centralized::get

  • deploy connectionprofiles:centralized:status::get

  • deploy connectionprofile:centralized::deploymentstatus

All:

Configuration > Connection Profiles

Browse access level on all connection profiles to retrieve

  • Server: All

  • Name: *

  • Plug-in Type: All plug-ins

  • Access Level: Browse

Delete Deployed Connection Profiles

deploy connectionprofile:centralized::delete

All:

Configuration > Connection Profiles

Full access level on all connection profiles to delete

  • Server: All

  • Name: *

  • Plug-in Type: All plug-ins

  • Access Level: Full

Test Deployed Connection Profiles

deploy connectionprofile::test

Retrieve Site Standard and Site Standard Policy Details

  • deploy sitestandard:fieldRestriction::get

  • deploy sitestandardpolicies:details::get

All:

Tools > Site Standards

Browse level for all site standards deployed.

Browse level for site standard policies.

Update Site Standards or Add Site Standard Policies

deploy sitestandard:fieldRestriction::replaceValues

All:

Tools > Site Standards

All Deployed Site Standards: Update

Site Standard Policies: Update

Rename or Delete Site Standard Policies

  • deploy sitestandardpolicy::rename

  • deploy sitestandardpolicy::delete

All:

Tools > Site Standards

Site Standard Policies: Full

Run Service Authorizations

The following table lists the role access levels required by the various API operations in the Run service. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

API Operation

Access Control Category

Access Level

Access Job Statuses and Details

  • run status

  • run job:status::get

  • run jobs:status::get

  • run job:statistics::get

  • run job::waitingInfo

  • run job::get

All:

Monitoring > Job Permissions

All View options for all jobs.

Perform Job Actions

  • run job::confirm

  • run job::delete

  • run job::free

  • run job::hold

  • run job::kill

  • run job:log::get

  • run job:output::get

  • run job::rerun

  • run job::runNow

  • run job::setToOk

  • run job::undelete

  • run job::modify

All:

Monitoring > Job Permissions

All Actions and View options for all relevant jobs.

Run Job Definition Files

  • run <jobDefinitionsFile>

  • run ondemand

Planning > Folders and Jobs

Update level on all folders deployed

  • Server: All

  • Folder Name: *

  • Access Level: Update

  • Run checkbox selected
 

Planning > Run as

Grant permission to write jobs that Run as a user on specific hosts, as required by all jobs deployed.

  • Server: All

  • Run as Name or Pattern: *

  • Agent/Host Group: *

  • run ondemand

Monitoring > Job Permissions

Actions > Confirm

Order Deployed Folders and Jobs

  • run order

Planning > Folders and Jobs

Update level on all folders deployed

  • Server: All

  • Folder Name: *

  • Access Level: Update

  • Run checkbox selected

Retrieve Events

  • run events::get

Tools > Events

Browse level for events retrieved

  • Server: All

  • Event Name: *

  • Access Level: Browse

Add Events

  • run event::add

Tools > Events

Update level for events to add

  • Server: All

  • Event Name: *

  • Access Level: Update

Delete Events

  • run event::delete

Tools > Events

Full access level for events to delete

  • Server: All

  • Event Name: *

  • Access Level: Full

Retrieve Resources

  • run resources::get

Tools > Resource Pool

At least Browse level for resource pools retrieved

  • Server: All

  • Resource Name: *

  • Access Level: Browse

 

Tools > Lock Resources

At lease Browse level for lock resources retrieved

  • Server: All

  • Resource Name: *

  • Access Level: Browse

Add and Update Resources

  • run resource::add

  • run resource::update

All:

Tools > Resource Pool

Update level for resource pools updated

  • Server: All

  • Resource Name: *

  • Access Level: Update

Delete Resources

  • run resource::delete

Tools > Resource Pool

Full level for resource pools deleted

  • Server: All

  • Resource Name: *

  • Access Level: Full

Retrieve Pool Variable Details

  • run variables::get

Tools > Pool Variables

Browse

Define and Update Pool Variables

  • run variables::set

Tools > Pool Variables

Update

Delete Pool Variables

run variables::delete

Tools > Pool Variables

Full

Access the status of alert streaming

  • run alerts:stream::status

Alerts

Browse

Control Alert Streaming and Listening

  • run alerts:stream::open

  • run alerts:stream::close

  • run alerts:listener::start

  • run alerts:listener::stop

All:

Alerts

All:

Update

  • run alerts:stream::close
    with Force option set to true

Configuration > Admin Management > Configuration

Update

Set Alert Formats

  • run alerts:stream:template::set

Configuration > Admin Management > Configuration

Update