Defining System Settings

This procedure describes how to configure system settings in Control-M, such as environment display, IdP configuration, annotations, and Site StandardsClosedA set of rules that are relevant to your organization and applied on the folder level, and that determines how users must define folders and jobs, .

Before you Begin

  • You must have Advanced Admin Authorizations to define system settings, as described in Role Authorizations.


  1. From the Configuration domain, click and then select System Settings.

    The System Settings pane appears.

  2. From the General drop-down list, do the following:
    1. In the Time area, From the First day of the week drop-down list, select the day when Control-M starts a new week.

    2. In the Viewpoint History area, from the Workflows retention period field, select the number of days to keep Viewpoints in the History area of the Monitoring domain.

      You can retain them up to 14 days.

  3. From the Environment Display drop-down list, select the color that you want to appear in the banner of Control-M and enter a Title and a Description such as, Dev, Test, or Production.

    The colors help you differentiate between the environments.

  4. Configure an Identity Provider (IdP), as described in Configuring Authentication with an IdP.

  5. From the Annotation drop-down, in the Activities that require user annotation field, select or search for Control-M activities that you want to require annotation, as described in Annotation User Categories.
  6. From the Site Standard drop-down, select the Site Standard enforcement level, as follows:
  7. Click Save.

Annotation User Categories

The following table describes categories that you can require users to apply annotation.



Account management User and Role Authorizations
Active job information LogClosedThe activity log of a job, which lists every status change to a job, such as job execution start and completion time, and whether the job succeeded, outputClosedA tab in the job properties pane in the Monitoring domain that shows the output of a job, which indicates whether a job ended OK, and used, for example, with jobs that check file location, and statistics
Active job operations Job Management
Active job prerequisites EventsClosedAn entity that creates a sequence relationship between jobs by enabling the successor job to execute after the predecessor job has executed, Lock ResourcesClosedA type of resource that controls the flow of the workflow, which represents a physical or logical device that a folder, sub-folder, or job can access exclusively or share, and Resource PoolsClosedA type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a folder, sub-folder, or job can access
Alerts handling Alerts
Authentication Login/logout attempts, password actions
Component operations Recycles the AgentClosedA Control-M component installed on a host that runs and monitors the jobs on the host
Configuration management

Scheduling Definitions


Security Creating a Centralized Connection Profile

Configuring Authentication with an IdP

This procedure describes how to configure authentication with an Identity Provider (IdP) for all Control-M users. This enables you to authenticate multiple external users with one configuration instead of creating individual internal users in Control-M.


  1. From the Identity Provider (IdP) drop-down, toggle on Enable SAML 2.0.

  2. Copy the following field values by clicking and paste them in your IdP application configuration.

    • Single sign-on URL: Defines the IdP URL or SAML Endpoint, where Control-M redirects users to sign in.

    • Audience URI (Service Provider entity ID): Defines the Service Provider URI that is used for verification.

    • Signing certificate :Defines the certificate that ensures that messages are coming from the expected IdP and Service Providers. The SAML certificate is used to sign SAML requests, responses, and assertions from the service to the connected applications. This parameter is only required if you enable the single sign-out on the IdP.

  3. Copy the Single sign-on URL value and paste it in the Single Logout URL field in your IdP application configuration.

  4. Replace the string idresponse with logout.

  5. From your IdP, you need to define the ExternalIDPGroups attribute with the group names defined in the IdP (case-sensitive).

    After you have completed this procedure, you need to map the groups from the IdP to rolesClosedAn authorization entity that grants permissions to associated users to access different functionality, as described in Adding a Role.

  6. Generate the XML meta-data from your IdP and insert the XML file path with a file saved locally or provide the meta-data document endpoint URL.

    If you disable SAML 2.0, you cannot remove the XML meta-data file.

    All Control-M users that connect to the web interface are now authenticated with SAML 2.0. Automation APIClosedA set of programmatic interfaces that provide developers and DevOps engineers access to the capabilities of Control-M SaaS within the modern application release process is authenticated via tokensClosedAn authorization entity, required during Agent installation, that enables you to connect the Agent to your SaaS backend. Internal users are not manged in IdP mode. Emergency users are assigned to Admin roles and are listed in the Emergency Users list.

  7. Log in with the Emergency URL (<tenant_name>-emergency) and copy the Admin role and update it with groups from your IdP, as described in Adding a Role.

  8. Add new roles or update existing roles with groups from your IdP.