Defining System Settings

This procedure describes how to configure system settings in Control-M, such as environment display, IdP configuration, annotations, and Site StandardsA set of rules that are relevant to your organization, are applied on the folder level, and determine how users must define folders and jobs..

Before You Begin

• You must have Advanced Admin Authorizations to define system settings, as described in Role Authorizations. In particular, you must set the Configuration access level to Full (through Configuration > Admin Management > Configuration, on the General tab).

Begin

1. From the icon, select Configuration.

   The Configuration domain appears.

2. From the drop-down list, select System Settings.

   The System Settings pane appears.

3. From the General drop-down list, do the following:

   1. In the Time area, From the First Day of the Week drop-down list, select the day when Control-M starts a new week.

   2. In the Viewpoint History area, from the Workflows Retention Period field, select the number of days to keep Viewpoints in the History area of the Monitoring domain.

      You can retain them up to 14 days.

   3. In the Privacy Notice area, from Privacy Notice URL field, define the URL that links to the Privacy Notice from Helix Control-M, which outlines the privacy policy and compliance guidelines.

   4. In the External Alerts area, select Send Alerts to External Event Management System if you want to enable sending alerts to external event management tools.

      This option enables you to use API commands to stream alerts from Helix Control-M and to listen for alerts on your client. For more information, see Setting Up External Alerts and External Alert Management.

      After you enable external alerts, a status message appears with alert streaming status and alert listening status.

      For this status message to appear, your role must have the Alerts authorization set to Browse access. For further External Alert Management actions through Automation API, your role must have the Alerts authorization set to Update access. For more information, see Role Authorizations and Control-M Automation API Authorizations.

4. From the Environment Display drop-down list, do one of the following:

   • Select a Banner Color for your Control-M environment, enter a Title and a Description such as, Dev, Test, or Production. These preferences help you differentiate between environments.

   • From the Site Interface Language drop-down list, select the default display language for new users:

     • English

     • German

     • Spanish

     • French

       • After you change the Site Interface Language, users that are already logged in are not affected.

       • All users can change their personal site interface language. For more information, see Setting User Preferences.

       • The following appears in English only:

         • Login and logout pages

         • Control-M Application Integrator

         • Control-M Reports

         • Job logs

         • All messages sent by the Server

5. Configure an Identity Provider (IdP), as described in Configuring Authentication with an IdP.

6. From the Annotation drop-down, in the Activities that require user annotation field, select or search for Control-M activities that you want to require annotation, as described in Annotation User Categories.
7. From the Site Standard drop-down, select the Site Standard enforcement level, as follows:
   • Strictness Level: Determines whether to enforce validationThe check that Control-M performs when you check-in jobs and SMART folders, which checks for errors in the job definitions. on a new folder, as follows:
     • Strict: Issues Error validation messages, which prevents check-inA process that saves and validates your job definitions, and then submits them to the Server. and enables Enforce Site Standard selection
     • Non-Strict: Issues Warning validation messages, which allows check-in and disables Enforce Site Standard selection
   • Enforce Site Standard selection: Determines whether to enforce the assignment of a Site Standard to a job flow, which prevents users from creating a job flow without a Site Standard assigned.
8. Click Save.

Annotation User Categories

The following table describes categories that you can require users to apply annotation.

Category	Description
Account management	User and Role Authorizations
Active job information	LogThe activity log of a job, which lists every job status change, such as job execution start and completion times, and how the job ended., outputA tab in the job properties pane of the Monitoring domain where the job output appears that indicates whether a job ended OK, and is used, for example, with jobs that check file location., and statistics
Active job operations	Job Management
Active job prerequisites	EventsAn conditional entity that creates a sequential relationship between jobs by enabling the successor job to execute after the predecessor job has executed., Lock ResourcesA type of prerequisite that controls the flow of the workflow, which represents a physical or logical device that folders, sub-folders, or jobs can exclusively access or share., and Resource PoolsA type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access.
Alerts handling	Alerts
Authentication	Login/logout attempts, password actions
Component operations	Recycles the AgentA Control-M component installed on a host (computer) that runs and monitors the jobs on the host.
Configuration management	Defining System Settings
Scheduling Definitions	Scheduling
Security	Creating a Centralized Connection Profile

Configuring Authentication with an IdP

This procedure describes how to configure authentication with an Identity Provider (IdP) for all Control-M users. This enables you to authenticate multiple external users with one configuration, instead of creating multiple individual internal users in Control-M.

Begin

1. From the icon, select Configuration.

   The Configuration domain appears.

2. From the drop-down list, select System Settings.

   The System Settings pane appears.

3. From the Identity Provider (IdP) drop-down, select the SAML 2.0 checkbox.

4. Copy the following field values by clicking , and paste each value in your IdP application configuration.

   • Single Sign-On URL: Defines the IdP URL or SAML Endpoint, where Control-M redirects users to sign in.

   • Audience URI (Service Provider Entity ID): Defines the Service Provider URI that is used for verification.

   • Signing Certificate: Defines the certificate that ensures that messages are coming from the expected IdP and Service Providers. The SAML certificate is used to sign SAML requests, responses, and assertions from the service to the connected applications. This parameter is only required if you enable the single sign-out on the IdP.

5. Copy the Single Sign-On URL value and paste it in the Single Logout URL field in your IdP application configuration and replace the string idpresponse with logout at the end of the Single Logout URL.

6. From your IdP, you need to define the ExternalIDPGroups attribute.

   The attribute value must be the group names defined in the IdP (case-sensitive).

7. From your IdP, generate the XML metadata file and do one of the following:

   • Click Select File and browse for the XML metadata file on your machine.

   • In the XML Metadata for SAML Service Provider field, type the XML metadata file endpoint URL.

   If you disable SAML 2.0, you cannot remove the XML metadata file.

8. After you have completed this procedure, you must map the groups from the IdP to rolesAn authorization entity that grants permissions to associated users to access different functionality., as described in Adding a Role.

   All Control-M users that connect to Helix Control-M are now authenticated with SAML 2.0. Automation APIA set of programmatic interfaces that provides developers and DevOps engineers access to the capabilities of Helix Control-M within the modern application release process. is authenticated via tokensAn authorization entity, required during Agent installation, which enables you to connect the Agent to your Helix Control-M backend.. Internal users are not managed in IdP mode. Emergency users are assigned to Admin roles and are listed in the Emergency Users list.

9. Log in with the Emergency URL (<tenant_name>-emergency), copy the Admin role, and update it with groups from your IdP, as described in Adding a Role.

10. Add new roles or update existing roles with groups from your IdP.