Defining System Settings

This procedure describes how to configure system settings in Control-M, such as environment display, IdP configuration, annotations, and Site StandardsClosedA set of rules that are relevant to your organization and applied on the folder level, and that determines how users must define folders and jobs.

Before you Begin

  • You must have Advanced Admin Authorizations to define system settings, as described in Role Authorizations. In particular, you must set the Configuration access level to Full (through Configuration > Admin Management > Configuration, on the General tab).


  1. From the Configuration domain, click and then select System Settings.

    The System Settings pane appears.

  2. From the General drop-down list, do the following:
    1. In the Time area, From the First day of the week drop-down list, select the day when Control-M starts a new week.

    2. In the Viewpoint History area, from the Workflows retention period field, select the number of days to keep Viewpoints in the History area of the Monitoring domain.

      You can retain them up to 14 days.

    3. In the Privacy Notice area, from Privacy Notice URL field, define the URL that links to the Privacy Notice from Helix Control-M, which outlines the privacy policy and compliance guidelines.

    4. In the External Alerts area, select Send Alerts to External Event Management System if you want to enable sending alerts to external event management tools.

      This option enables you to use API commands to stream alerts from Helix Control-M and to listen for alerts on your client. For more information, see Setting Up External Alerts and External Alert Management.

      After you enable external alerts, a status message appears with alert streaming status and alert listening status.

      For this status message to appear, your role must have the Alerts authorization set to Browse access. For further External Alert Management actions through Automation API, your role must have the Alerts authorization set to Update access. For more information, see Role Authorizations and Control-M Automation API Authorizations.

  3. From the Environment Display drop-down list, do one of the following:

    • Select a Banner Color for your Control-M environment, enter a Title and a Description such as, Dev, Test, or Production. These preferences help you differentiate between environments.

    • From the Site Interface Language drop-down list, select the default display language for new users:

      • English

      • German

      • Spanish

      • French

        • After you change the Site Interface Language, users that are already logged in are not affected.

        • All users can change their personal site interface language. For more information, see Setting User Preferences.
        • The following appears in English only:

          • Login and logout pages

          • Control-M Application Integrator

          • Control-M Reports

          • Job logs

          • All messages sent by the Server

  4. Configure an Identity Provider (IdP), as described in Configuring Authentication with an IdP.

  5. From the Annotation drop-down, in the Activities that require user annotation field, select or search for Control-M activities that you want to require annotation, as described in Annotation User Categories.
  6. From the Site Standard drop-down, select the Site Standard enforcement level, as follows:
  7. Click Save.

Annotation User Categories

The following table describes categories that you can require users to apply annotation.



Account management

User and Role Authorizations

Active job information

LogClosedThe activity log of a job, which lists every status change to a job, such as job execution start and completion time, and whether the job succeeded, outputClosedA tab in the job properties pane in the Monitoring domain that shows the output of a job, which indicates whether a job ended OK, and used, for example, with jobs that check file location, and statistics

Active job operations

Job Management

Active job prerequisites

EventsClosedAn entity that creates a sequence relationship between jobs by enabling the successor job to execute after the predecessor job has executed, Lock ResourcesClosedA type of resource that controls the flow of the workflow, which represents a physical or logical device that a folder, sub-folder, or job can access exclusively or share, and Resource PoolsClosedA type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access

Alerts handling



Login/logout attempts, password actions

Component operations

Recycles the AgentClosedA Control-M component installed on a host that runs and monitors the jobs on the host

Configuration management

Scheduling Definitions



Creating a Centralized Connection Profile

Configuring Authentication with an IdP

This procedure describes how to configure authentication with an Identity Provider (IdP) for all Control-M users. This enables you to authenticate multiple external users with one configuration instead of creating individual internal users in Control-M.


  1. From the Identity Provider (IdP) drop-down, toggle on Enable SAML 2.0.

  2. Copy the following field values by clicking and paste them in your IdP application configuration.

    • Single sign-on URL: Defines the IdP URL or SAML Endpoint, where Control-M redirects users to sign in.

    • Audience URI (Service Provider entity ID): Defines the Service Provider URI that is used for verification.

    • Signing certificate :Defines the certificate that ensures that messages are coming from the expected IdP and Service Providers. The SAML certificate is used to sign SAML requests, responses, and assertions from the service to the connected applications. This parameter is only required if you enable the single sign-out on the IdP.

  3. Copy the Single sign-on URL value and paste it in the Single Logout URL field in your IdP application configuration and replace the string idpresponse with logout at the end of the Single Logout URL.

  4. From your IdP, you need to define the ExternalIDPGroups attribute.

    The attribute value must be the group names defined in the IdP (case-sensitive).

  5. Generate the XML meta-data from your IdP and insert the XML file path with a file saved locally or provide the meta-data document endpoint URL.

    If you disable SAML 2.0, you cannot remove the XML meta-data file.

  6. After you have completed this procedure, you need to map the groups from the IdP to rolesClosedAn authorization entity that grants permissions to associated users to access different functionality, as described in Adding a Role.

    All Control-M users that connect to the web interface are now authenticated with SAML 2.0. Automation APIClosedA set of programmatic interfaces that provide developers and DevOps engineers access to the capabilities of Control-M SaaS within the modern application release process is authenticated via tokensClosedAn authorization entity, required during Agent installation, that enables you to connect the Agent to your SaaS backend. Internal users are not managed in IdP mode. Emergency users are assigned to Admin roles and are listed in the Emergency Users list.

  7. Log in with the Emergency URL (<tenant_name>-emergency) and copy the Admin role and update it with groups from your IdP, as described in Adding a Role.

  8. Add new roles or update existing roles with groups from your IdP.