Defining Authorizations for Control-M Roles and Users

This tutorial guides you through the process of defining new roles and users for Control-M and controlling the authorizations that they have for Control-M resources. In this example, you create a role that groups together Hadoop developers and assign users to this role.

Before You Begin

Ensure that you meet the following prerequisites:

  • You have successfully completed API setup, as described in Control-M Automation API Installation.

  • You have Git installed. If not, obtain it from the Git Downloads page.

  • You have local copies of the tutorial samples from GitHub and a local copy of the source code using the git clone command:

    git clone https://github.com/controlm/automation-api-quickstart.git

Begin

  1. Access the tutorial sample with the following command:

    cd automation-api-quickstart/control-m/102-on-boarding-new-application-group

  2. Run the following command to define a new role for Hadoop developers based on the provided role data file, hadoopRole.json, which specifies the authorizations that are granted to the role:

    ctm config authorization:role::add hadoopRole.json

  3. Run the following command to define a new Control-M user based on the provided user data file, hadoopUser.json, and to associate this user with the role that we defined in the previous step:

    ctm config authorization:user::add hadoopUser.json

  4. Examine the source code in the JSON data files and learn how to define roles and users, as described in Role Data File and User Data File.

  5. Obtain the current role definitions by running a GET command such as the following:

    ctm config authorization:role::get hadoop_developers > c:\tmp\hadoop_developers.json

    The current role definitions are saved to the hadoop_developers.json file.

  6. In the hadoop_developers.json file, apply a change to raise the role's level of privileges for its associated site standards:

    Before: After:
    Copy 
      "SiteStandard": [
        {
          "Privilege": "Browse",
          "Name": "hadoop_*"
        }
      ]
    Copy 
      "SiteStandard": [
        {
          "Privilege": "Full",
          "Name": "hadoop_*"
        }
      ]

  7. Deploy the modified data file by running the update command and submitting the new data file:

    ctm config authorization:role::update hadoop_developers c:\tmp\hadoop_developers.json

  8. Assign your new role for Hadoop developers to an LDAP group of Hadoop developers using the following add command:

    ctm config authorization:ldap:role::add hadoop_dev_group hadoop_developers

  9. As an administrator, set a new password for one of your users using the following command:

    ctm config user:password::adminUpdate John newPass

    • To provide the new password in a more secure manner, you can, alternatively, specify the password as a predefined secret or use the -p option to be prompted for the password after you enter the command.

    • Developer-level users can update their own passwords using a different command, the session login command.

Role Data File

The role data file defines a role and specifies collections of privileges and permissions for Control-M resources to grant to the role. For more information, see Authorization Configuration.

The sample role data file, hadoopRole.json, contains the following main objects:

  • The AllowedJobs and AllowedJobActions objects define the actions that can be performed on a specific set of jobs.

    Copy 
    "AllowedJobs": {
       "Included": [
          [
             [
                "Application",
                "like",
                "hadoop*"
             ],
             [
                "Host",
                "like",
                "hadoop*"
             ],
             [
                "JobName",
                "like",
                "hadoop*"
             ],
             [
                "Folder",
                "like",
                "hadoop*"
             ]
          ]
       ]
    },
    "AllowedJobActions": {
       "ViewProperties": true,
       "Documentation": true,
       "Log": true,
       "Statistics": true,
       "ViewOutputList": true,
       "ViewJcl": true,
       "Why": true,
       "Rerun": true,
       "SetToOk": true,
       "EditProperties": true
    },

  • The Privileges object defines access levels to various operations in Control-M.

    Copy 
    "Privileges": {
       "ClientAccess": {
          "ControlmWebClientAccess": "Full",
          "UtilitiesAccess": "Full",
          "ApplicationIntegratorAccess": "Full"
       },
       "Monitoring": {
          "Alert": "Full"
       },
       "Tools": {
          "Cli": "Full"
       }
    },

  • Several additional objects (Folders, Calendars, SiteStandard) define access to various Control-M resources.

    Copy 
    "Folders": [
       {
          "Privilege": "Full",
          "Folder": "hadoop*"
       }
    ],
    "Calendars": [
       {
          "Privilege": "Browse",
          "Name": "hadoop*"
       }
    ],
    "SiteStandard": [
       {
          "Privilege": "Browse",
          "Name": "hadoop_*"
       }
    ]

User Data File

The user data file associates a user with a role. For more information, see the description of Config Service.

The sample user data file, hadoopUser.json, contains only basic user definitions — a user name and a list of roles to which to associate the user.

Copy 
{
   "Name": "John",
   "Roles": ["hadoop_developers"]
}