Control-M Automation API Authorizations

Through Control-M, you can control the access levels that each of your defined roles has to the various API functionalities and services. The following series of tables summarize the access levels that are required for the various API commands. You set these access levels through the role definitions in the Configuration domain.

Authentication Service Authorizations

To use the Authentication service to create, update, delete, or get details of your own tokens, you must have the Automation API interface access category. You set this access category through the role definitions in the Configuration domain, on the General tab.

To use the Authentication service to control authentication tokens of other users, an administrator must have the following role access levels. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

API Functions	Access Control Category	Access Level
Retrieve token details authentication token::get authentication tokens::get	Configuration > Admin Management > Authorizations/Users&Roles	Browse
Create or update a token authentication token::create authentication token::update	Configuration > Admin Management > Authorizations/Users&Roles	Update
Delete a token authentication token::delete	Configuration > Admin Management > Authorizations/Users&Roles	Full

API Functions

Access Control Category

Access Level

Retrieve token details

authentication token::get
authentication tokens::get

Configuration > Admin Management > Authorizations/Users&Roles

Browse

Create or update a token

authentication token::create
authentication token::update

Configuration > Admin Management > Authorizations/Users&Roles

Update

Delete a token

authentication token::delete

Configuration > Admin Management > Authorizations/Users&Roles

Full

Configuration Service Authorizations

The following table lists the role access levels required by the various API functions in the Config service. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

If the access levels defined through Configuration > Admin Management differ from (that is, are higher or lower than) those defined in the other Configuration categories, such as Configuration > Agents or Configuration > Plug-ins, or Configuration > Run as Definition, then the definitions in Admin Management take precedence.

API Functions	Access Control Category	Access Level
Access Agent topology information config server:agents::get config server:agentlesshosts::get	Configuration > Agents	None
Access Control-M/Server topology information config servers::get	Configuration > Admin Management > Configuration	Browse
Access Agent information config server:agent:crt:expiration::get config server:hostgroups:agents::get	Configuration > Agents	Browse
Access detailed Agent configuration information config server:agent:params::get config server:agent:param::set config server:agentlesshost::get config server:hostgroups::get config server:hostgroup:agents::get config server:hostgroup::update	Configuration > Agents	Full
Add or update Agent configurations config server:agent::update config server:agent::disable config server:agent::enable config server:agent::ping config server:agent:csr::create config server:agent:crt::deploy config server:hostgroup:agent::add config server:agentlesshost::add config item::recycle	Configuration > Agents	Update
Add or update Run as User configurations config server:runasuser::add config server:runasuser::update	Configuration > Run as Definition	Update
Access Run as User configuration details config server:runasuser::get config server:runasuser::test config server:runasusers::get	Configuration > Run as Definition	Browse
Delete Agent configuration config server:agent::delete config server:agentlesshost::delete config server:hostgroup:agent::delete config server:hostgroup::delete	Configuration > Agents	Full
Delete Run as User configuration config server:runasuser::delete	Configuration > Run as Definition	Full
Access detailed Job Archiving configuration config archive:rules::get config archive:statistics::get	Configuration > Admin Management > Configuration	Browse
Access configurations of file transfers to and from remote hosts (using Control-M MFT) config server:agent:mft:pgptemplates::get config server:agent:mft:zostemplates::get config server:agent:mft:configuration::get config server:agent:mft:fts:settings::get	Configuration > Plug-ins	Browse
Add or delete configurations for Control-M MFT config server:agent:mft:pgptemplate::add config server:agent:mft:pgptemplate::delete config server:agent:mft:zostemplate::add config server:agent:mft:zostemplate::delete	Configuration > Plug-ins	Full
Update configurations for Control-M MFT config server:agent:mft:pgptemplate::update config server:agent:mft:zostemplate::update config server:agent:mft:configuration::update config server:agent:mft:fts:settings::update	Configuration > Plug-ins	Update
Manage SSH settings for Control-M MFT config server:agent:mft:ssh:key::generate config server:agent:mft:ssh:host::authorize config server:agent:mft:ssh:cluster::authorize	Configuration > Admin Management > Security	Full
Access details of roles, users, and LDAP groups config authorization:role::get config authorization:roles::get config authorization:user::get config authorization:users::get config authorization:user:effectiverights::get config authorization:ldap:roles::get config authorization:role:associates config authorization:organizationgroup:roles::get config authorization:organizationgroups::get config authorization:organizationuser:roles::get config authorization:organizationusers::get	Configuration > Admin Management > Authorizations/Users & Roles	Browse
Manage authorizations of roles, users, and LDAP groups config authorization:role::add config authorization:role::update config authorization:user::add config authorization:user::update config authorization:ldap:role::add config authorization:ldap:role::delete	Configuration > Admin Management > Authorizations/Users & Roles For simulation functions, also: Configuration > Admin Management > Configuration	Update
Delete authorizations of roles and users config authorization:role::delete config authorization:user::delete	Configuration > Admin Management > Authorizations/Users & Roles	Full
Access details of system settings config systemsettings::get config systemsettings:identityprovidermetadata::get	Configuration > Admin Management > Configuration	Browse
Add or update system settings config systemsettings::set	Configuration > Admin Management > Configuration	Full
Access details of secrets in the Control-M vault config secrets::get	Tools > Secrets	Browse
Add or update secrets in the Control-M vault config secret::add config secret::update	Tools > Secrets	Update
Delete secrets in the Control-M vault config secret::delete	Tools > Secrets	Full

Provision Service Authorizations

The following table lists the role access levels required by the various API functions in the Provision service. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

If the access levels defined through Configuration > Admin Management differ from (that is, are higher or lower than) those defined in the other Configuration categories, such as Configuration > Agents or Configuration > Run as Definition, then the definitions in Admin Management take precedence.

API Functions	Access Control Category	Access Level
Access details of provisioned agents provision images	Configuration > Agents	Browse
Provision a new agent provision saas:agent::setup provision saas::install provision image provision agent::update	Configuration > Agents	Update
Undo the provisioning of an agent provision image::remove provision agent::uninstall	Configuration > Agents	Full

API Functions

Access Control Category

Access Level

Access details of provisioned agents

provision images

Configuration > Agents

Browse

Provision a new agent

provision saas:agent::setup
provision saas::install
provision image
provision agent::update

Configuration > Agents

Update

Undo the provisioning of an agent

provision image::remove
provision agent::uninstall

Configuration > Agents

Full

Build and Deploy Service Authorizations

The following table lists the role access levels required by the various API functions in the Build and Deploy services. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

If the access levels defined through Configuration > Admin Management differ from (that is, are higher or lower than) those defined in the other Configuration categories, such as Configuration > Connection Profiles, then the definitions in Admin Management take precedence.

API / API Service	Access Control Category	Access Level
Build jobs definitions build <definitionsFile>	Access tokens are enough.
Retrieve deployed job definitions deploy jobs::get	Planning > Folders and Jobs	Browse level on all retrieved folders Server: All Folder Name: * Access Level: Browse
Deploy definitions of Control-M objects deploy <definitionsFile> deploy poll	Planning > Folders and Jobs	Update level on all folders deployed Server: All Folder Name: * Access Level: Update
Planning > Run as	Grant permission to write jobs that Run as use on specific hosts as required by all jobs deployed. Server: All Run as Name or Pattern: * Agent/Host Group: *
Tools > Calendars	Update level on all calendars deployed Server: All Calendar Name: * Access Level: Update
Tools > Site Standards	Update level for all site standards deployed. Update level for site standard policies.
Configuration > Connection Profiles	Full level on all connection profiles deployed if you plan to create new connection profiles. Update level if you only want to modify existing connection profiles. Server: All Name: * Access Level: Full or Update
Delete deployed objects deploy folder::delete deploy subfolder::delete deploy job::delete	Planning > Folders and Jobs	Full access level on all folders to delete Server: All Folder Name: * Access Level: Full
Deploy AI job type deploy ai:jobtype	Tools > Application Integrator	Full
Retrieve details of deployed AI job types deploy ai:jobtypes::get
Retrieve deployed calendar definitions deploy calendars::get	Tools > Calendars	Browse access level on all calendars to retrieve Server: All Calendar Name: * Access Level: Browse
Delete a deployed calendar deploy calendar::delete	Tools > Calendars	Full access level on all calendars to delete Server: All Calendar Name: * Access Level: Full
Retrieve details of deployed connection profiles deploy connectionprofiles:centralized::get deploy connectionprofiles:centralized:status::get deploy connectionprofile:centralized::deploymentstatus	Configuration > Connection Profiles	Browse access level on all connection profiles to retrieve Server: All Name: * Plug-in Type: All Plug-ins Access Level: Browse
Delete deployed connection profiles deploy connectionprofile:centralized::delete	Configuration > Connection Profiles	Full access level on all connection profiles to delete Server: All Name: * Plug-in Type: All Plug-ins Access Level: Full
Test deployed connection profiles deploy connectionprofile::test
Retrieve details of site standards and site standard policies deploy sitestandard:fieldRestriction::get deploy sitestandardpolicies:details::get	Tools > Site Standards	Browse level for all site standards deployed. Browse level for site standard policies.
Update site standards or add site standard policies deploy sitestandard:fieldRestriction::replaceValues deploy sitestandardpolicies::add	Tools > Site Standards	Update level for all site standards deployed. Update level for site standard policies.
Rename or delete site standard policies deploy sitestandardpolicy::rename deploy sitestandardpolicy::delete	Tools > Site Standards	Full level for site standard policies.

API / API Service

Access Control Category

Access Level

Build jobs definitions

build <definitionsFile>

Access tokens are enough.

Retrieve deployed job definitions

deploy jobs::get

Planning > Folders and Jobs

Browse level on all retrieved folders

Server: All
Folder Name: *
Access Level: Browse

Deploy definitions of Control-M objects

deploy <definitionsFile>
deploy poll

Planning > Folders and Jobs

Update level on all folders deployed

Server: All
Folder Name: *
Access Level: Update

Planning > Run as

Grant permission to write jobs that Run as use on specific hosts as required by all jobs deployed.

Server: All
Run as Name or Pattern: *
Agent/Host Group: *

Tools > Calendars

Update level on all calendars deployed

Server: All
Calendar Name: *
Access Level: Update

Tools > Site Standards

Update level for all site standards deployed.

Update level for site standard policies.

Configuration > Connection Profiles

Full level on all connection profiles deployed if you plan to create new connection profiles. Update level if you only want to modify existing connection profiles.

Server: All
Name: *
Access Level: Full or Update

Delete deployed objects

deploy folder::delete
deploy subfolder::delete
deploy job::delete

Planning > Folders and Jobs

Full access level on all folders to delete

Server: All
Folder Name: *
Access Level: Full

Deploy AI job type

deploy ai:jobtype

Tools > Application Integrator

Full

Retrieve details of deployed AI job types

deploy ai:jobtypes::get

Retrieve deployed calendar definitions

deploy calendars::get

Tools > Calendars

Browse access level on all calendars to retrieve

Server: All
Calendar Name: *
Access Level: Browse

Delete a deployed calendar

deploy calendar::delete

Tools > Calendars

Full access level on all calendars to delete

Server: All
Calendar Name: *
Access Level: Full

Retrieve details of deployed connection profiles

deploy connectionprofiles:centralized::get
deploy connectionprofiles:centralized:status::get
deploy connectionprofile:centralized::deploymentstatus

Configuration > Connection Profiles

Browse access level on all connection profiles to retrieve

Server: All
Name: *
Plug-in Type: All Plug-ins
Access Level: Browse

Delete deployed connection profiles

deploy connectionprofile:centralized::delete

Configuration > Connection Profiles

Full access level on all connection profiles to delete

Server: All
Name: *
Plug-in Type: All Plug-ins
Access Level: Full

Test deployed connection profiles

deploy connectionprofile::test

Retrieve details of site standards and site standard policies

deploy sitestandard:fieldRestriction::get
deploy sitestandardpolicies:details::get

Tools > Site Standards

Browse level for all site standards deployed.

Browse level for site standard policies.

Update site standards or add site standard policies

deploy sitestandard:fieldRestriction::replaceValues
deploy sitestandardpolicies::add

Tools > Site Standards

Update level for all site standards deployed.

Update level for site standard policies.

Rename or delete site standard policies

deploy sitestandardpolicy::rename
deploy sitestandardpolicy::delete

Tools > Site Standards

Full level for site standard policies.

Run Service Authorizations

The following table lists the role access levels required by the various API functions in the Run service. You set these access levels through the role definitions in the Configuration domain, on the Access Control tab.

API	Access Control Category	Access Level
Access job status and details run status run job:status::get run jobs:status::get run job:statistics::get run job::waitingInfo run job::get	Monitoring > Job Permissions	All View options for all jobs.
Perform job actions run job::confirm run job::delete run job::free run job::hold run job::kill run job:log::get run job:output::get run job::rerun run job::runNow run job::setToOk run job::undelete run job::modify	Monitoring > Job Permissions	All Actions and View options for all relevant jobs.
Run Jobs definition file run <jobDefinitionsFile> run ondemand	Planning > Folders and Jobs	Update level on all folders deployed Server: All Folder Name: * Access Level: Update Run checkbox selected
	Planning > Run as	Grant permission to write jobs that Run as a user on specific hosts, as required by all jobs deployed. Server: All Run as Name or Pattern: * Agent/Host Group: *
Order a deployed folder and jobs run order	Planning > Folders and Jobs	Update level on all folders deployed Server: All Folder Name: * Access Level: Update Run checkbox selected
Retrieve events run events::get	Tools > Events	Browse level for events retrieved Server: All Event Name: * Access Level: Browse
Add an event run event::add	Tools > Events	Update level for events to add Server: All Event Name: * Access Level: Update
Delete an event run event::delete	Tools > Events	Full access level for events to delete Server: All Event Name: * Access Level: Full
Retrieve resources run resources::get	Tools > Resource Pool	At lease Browse level for Resource Pools retrieved Server: All Resource Name: * Access Level: Browse
	Tools > Lock Resources	At lease Browse level for Lock Resources retrieved Server: All Resource Name: * Access Level: Browse
Add/update a resource run resource::add run resource::update	Tools > Resource Pool	Update level for Resource Pools updated Server: All Resource Name: * Access Level: Update
Delete a resource run resource::delete	Tools > Resource Pool	Full level for Resource Pools deleted Server: All Resource Name: * Access Level: Full
Retrieve pool variable details run variables::get	Tools > Pool Variables	Browse
Define or update pool variables run variables::set	Tools > Pool Variables	Update
Delete pool variables run variables::delete	Tools > Pool Variables	Full
Access the status of alert streaming run alerts:stream::status	Alerts	Browse
Control alert streaming and alert listening run alerts:stream::open run alerts:stream::close run alerts:listener::start run alerts:listener::stop	Alerts	Update
run alerts:stream::close with Force option set to true	Configuration > Admin Management > Configuration	Update
Set alert format run alerts:stream:template::set	Configuration > Admin Management > Configuration	Update