Defining System Settings

This procedure describes how to configure system settings in Control-M, such as environment display, IdP configuration, annotations, and Site StandardsClosedA set of rules that are relevant to your organization, are applied on the folder level, and determine how users must define folders and jobs..

Before You Begin

  • You must have Advanced Admin Authorizations to define system settings, as described in Role Authorizations. In particular, you must set the Configuration access level to Full (through Configuration > Admin Management > Configuration, on the General tab).


  1. From the icon, select Configuration.

    The Configuration domain appears.

  2. From the drop-down list, select System Settings.

    The System Settings pane appears.

  3. From the General drop-down list, do the following:
    1. In the Time area, From the First Day of the Week drop-down list, select the day when Control-M starts a new week.

    2. In the Viewpoint History area, from the Workflows Retention Period field, select the number of days to keep Viewpoints in the History area of the Monitoring domain.

      You can retain them up to 14 days.

    3. In the Privacy Notice area, from Privacy Notice URL field, define the URL that links to the Privacy Notice from Helix Control-M, which outlines the privacy policy and compliance guidelines.

    4. In the External Alerts area, select Send Alerts to External Event Management System if you want to enable sending alerts to external event management tools.

      This option enables you to use API commands to stream alerts from Helix Control-M and to listen for alerts on your client. For more information, see Setting Up External Alerts and External Alert Management.

      After you enable external alerts, a status message appears with alert streaming status and alert listening status.

      For this status message to appear, your role must have the Alerts authorization set to Browse access. For further External Alert Management actions through Automation API, your role must have the Alerts authorization set to Update access. For more information, see Role Authorizations and Control-M Automation API Authorizations.

  4. From the Environment Display drop-down list, do one of the following:

    • Select a Banner Color for your Control-M environment, enter a Title and a Description such as, Dev, Test, or Production. These preferences help you differentiate between environments.

    • From the Site Interface Language drop-down list, select the default display language for new users:

      • English

      • German

      • Spanish

      • French

        • After you change the Site Interface Language, users that are already logged in are not affected.

        • All users can change their personal site interface language. For more information, see Setting User Preferences.
        • The following appears in English only:

          • Login and logout pages

          • Control-M Application Integrator

          • Control-M Reports

          • Job logs

          • All messages sent by the Server

  5. Configure an Identity Provider (IdP), as described in Configuring Authentication with an IdP.

  6. From the Annotation drop-down, in the Activities that require user annotation field, select or search for Control-M activities that you want to require annotation, as described in Annotation User Categories.
  7. From the Site Standard drop-down, select the Site Standard enforcement level, as follows:
  8. Click Save.

Annotation User Categories

The following table describes categories that you can require users to apply annotation.



Account management

User and Role Authorizations

Active job information

LogClosedThe activity log of a job, which lists every job status change, such as job execution start and completion times, and how the job ended., outputClosedA tab in the job properties pane of the Monitoring domain where the job output appears that indicates whether a job ended OK, and is used, for example, with jobs that check file location., and statistics

Active job operations

Job Management

Active job prerequisites

EventsClosedAn conditional entity that creates a sequential relationship between jobs by enabling the successor job to execute after the predecessor job has executed., Lock ResourcesClosedA type of prerequisite that controls the flow of the workflow, which represents a physical or logical device that folders, sub-folders, or jobs can exclusively access or share., and Resource PoolsClosedA type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access.

Alerts handling



Login/logout attempts, password actions

Component operations

Recycles the AgentClosedA Control-M component installed on a host (computer) that runs and monitors the jobs on the host.

Configuration management

Scheduling Definitions



Creating a Centralized Connection Profile

Configuring Authentication with an IdP

This procedure describes how to configure authentication with an Identity Provider (IdP) for all Control-M users. This enables you to authenticate multiple external users with one configuration, instead of creating multiple individual internal users in Control-M.


  1. From the icon, select Configuration.

    The Configuration domain appears.

  2. From the drop-down list, select System Settings.

    The System Settings pane appears.

  3. From the Identity Provider (IdP) drop-down, select the SAML 2.0 checkbox.

  4. Copy the following field values by clicking , and paste each value in your IdP application configuration.

    • Single Sign-On URL: Defines the IdP URL or SAML Endpoint, where Control-M redirects users to sign in.

    • Audience URI (Service Provider Entity ID): Defines the Service Provider URI that is used for verification.

    • Signing Certificate: Defines the certificate that ensures that messages are coming from the expected IdP and Service Providers. The SAML certificate is used to sign SAML requests, responses, and assertions from the service to the connected applications. This parameter is only required if you enable the single sign-out on the IdP.

  5. Copy the Single Sign-On URL value and paste it in the Single Logout URL field in your IdP application configuration and replace the string idpresponse with logout at the end of the Single Logout URL.

  6. From your IdP, you need to define the ExternalIDPGroups attribute.

    The attribute value must be the group names defined in the IdP (case-sensitive).

  7. From your IdP, generate the XML metadata file and do one of the following:

    • Click Select File and browse for the XML metadata file on your machine.

    • In the XML Metadata for SAML Service Provider field, type the XML metadata file endpoint URL.

    If you disable SAML 2.0, you cannot remove the XML metadata file.

  8. After you have completed this procedure, you must map the groups from the IdP to rolesClosedAn authorization entity that grants permissions to associated users to access different functionality., as described in Adding a Role.

    All Control-M users that connect to Helix Control-M are now authenticated with SAML 2.0. Automation APIClosedA set of programmatic interfaces that provides developers and DevOps engineers access to the capabilities of Helix Control-M within the modern application release process. is authenticated via tokensClosedAn authorization entity, required during Agent installation, which enables you to connect the Agent to your Helix Control-M backend.. Internal users are not managed in IdP mode. Emergency users are assigned to Admin roles and are listed in the Emergency Users list.

  9. Log in with the Emergency URL (<tenant_name>-emergency), copy the Admin role, and update it with groups from your IdP, as described in Adding a Role.

  10. Add new roles or update existing roles with groups from your IdP.