User and Role Authorizations

In Control-M you can create users and roles, which enable you to limit the entities that a user is authorized to view or change. Users are granted permissions based on their associated role.

If Role A has authorizations to FolderA container of jobs and sub-folders that passes its definitions to the included jobs and sub-folders A and Calendar A, then all associated users that are assigned Role A have access to those entities.

There are three predefined roles that are included in Control-M.

Administrator: Enables full access to all functionality.
Team Leader: Enables partial access with the ability to manage permissions for each member of the team.
Viewer: Enables view access.

To configure authentication for all Control-M users, BMC recommends that you perform these procedures in the following order:

You can create internal users in Control-M. However, BMC recommends that you configure a connection to an Identity Provider (IdP). This enables you to authenticate multiple external users with one configuration instead of creating individual internal users in Control-M. To connect Control-M to an IdP, see Configuring Authentication with an IdP. After an IdP is enabled, all users are authenticated via SAML 2.0. You can log in with SSO to Helix Control-M via the tenant URL.

If the IdP is down, users that are assigned to Admin roles can still log in using an Emergency URL, which enables Emergency users to access Control-M. An Emergency user is any internal user that is associated with the Admin role. BMC recommends that you copy the Emergency URL and save or bookmark it. If the IdP becomes unavailable, you will need the URL to log in to Control-M. To edit the list of existing Emergency users, you must disable the IdP configuration, as described in Updating Emergency Users. After it is disabled, users that are authenticated with the IdP cannot log in to Control-M. After you have updated the list of users and the IdP becomes available, re-enable IdP.

Before you delete a role, identify the Agent tagA logical name that is used to label specific Agents into a group with a specific authorization level(s) that is associated with the role. After you delete the role, you need to delete any Agent tokensAn authorization entity, required during Agent installation, that enables you to connect the Agent to your SaaS backend that are associated with the Agent tag(s) that you identified.

Adding a Role

This procedure describes how to create a role, which limits the associated user to specific authorizations and access levels.

Begin

From the Configuration domain, click and then select Roles.

The Roles tab appears.
Click Add Role.

The Add Role pane appears.
In the General tab, do the following:
1. In the Role Name field, type a logical name for the role.
2. In the Description field, type a description for the role.
3. If you want this role to have access to Automation APIA set of programmatic interfaces that provide developers and DevOps engineers access to the capabilities of Control-M SaaS within the modern application release process, select the Automation API access checkbox.
4. Do one of the following:
  - If you want to associate users in a specific organizational group in IdP, select Organizational Groups Only, and from the Set Organizational Groups drop-down list, select or search for the organizational groups from your IdP that you want to associate to this role.
    If the list is empty, you need to manually add the names of the IdP groups by typing the name of the group and then click Add. The IdP group names are case sensitive and must appear exactly as they are in the IdP .
  - If you want to explicitly associate a specific IdP user directly in Control-M, regardless of the organizational group, select Organizational Users Only and from the Set Organizational Users drop-down list, search for the organizational user from your IdP or LDAP that you want to associate to this role.
    If the list is empty, you need to manually add the names of the IdP or LDAP user by typing the name of the user and then click Add. The IdP and LDAP user names are case sensitive and must appear exactly as they are in the IdP or LDAP.
In the Access control tab, toggle on one or more of the following that you want to apply specific authorizations to this role, as described in Role Authorizations.
Click Add.

Adding an Internal User

This procedure describes how to add a user in Control-M. User authorizations are determined by the roles that are associated to the user.

Begin

From the Configuration domain, click and then select Users.

The Users tab appears.
In the Email field, type the email address of the new user.

A confirmation email is sent to the new user that contains a link and a temporary password for first time use. The password expires in 7 days. If the password expires, you must delete the existing user and recreate the user.
In the Assigned roles drop-list, select one or more of the existing roles to assign to this user.

The role determines which authorizations the user has access to for all Control-M entities. To create a role, see Adding a Role.
Click Add.

The new user appears in the Users list.

Updating Emergency Users

This procedure describes how to update Emergency users in the event that IdP becomes unavailable (breaking glass procedure). This enables you and other Emergency users to continue working in Control-M. You can update the list of Emergency users to enable or disable specific users access to Control-M.

Begin

From the Configuration domain, click and then select System Settings.

The System Settings tab appears.
From the Identity Provider (IdP) drop-down, toggle off Enable SAML 2.0.
Click Save.

You are now working in Emergency mode and all users authenticated via IdP cannot log in to Control-M. Emergency users can log in with the following URL:

Emergency URL: <tenant_name>-emergency
To add an Emergency user, assign the Admin role to the user, as described in Adding an Internal User.
Send the Emergency URL to all Emergency users.
After IdP becomes available, toggle on Enable SAML 2.0.

Role Authorizations

The following table describes authorizations that you can apply to a role. All associated users to this role inherit the selected authorizations.

Authorization	Description
Planning	Determines whether to allow access to specific folders, Run as usersAn OS account name that is used to execute the job on the host, and named pool variablesA type of variable with a pool parameter, that you set in one job and can reference in any subsequent job with the same pool parameter. A Named Pool is a logical grouping of variables..
Folders	Grants access to specific folders with an authorization level for each folder, as follows: Folder Name: Defines the name of the folder that associated users can access You can define the folder name with a regular expression. Browse: Enables the associated users to view folders Update: Enables the associated users to add and edit folders Full: Enables the associated users to add, edit, and delete folders Run: Determines whether associated users can runA Control-M process that adds your job to the Run Queue of the day, according to automatic or manual scheduling, and which enables the job to execute, depending on prerequisites specific folders. This option is independent of the access levels. You can enable associated users to run folders on all access levels. This option also determines whether associated users can use the Run option in the Monitoring domain. This authorization also determines whether associated users are granted access to the Folder Management tool.
Run as	Enables associated users to use the listed run as users or pattern in job definitionsThe set of parameters that defines what the job does, when it must run, its prerequisites to run, and post-processing actions for Control-M to perform after its completion (also called a job processing definition). Run as Name or pattern: Identifies the user name with the authorization to execute the job. Agent or Host Group: Defines the name of the AgentA Control-M component installed on a host that runs and monitors the jobs on the host computer or host group where the job is submitted.
Monitoring	Determines whether to allow access to specific jobs and servicesA set of workflows that serves a business purpose, and can be monitored as a single unit.
Job permissions	Determines which of the following entities associated users can view on all jobs or on specific jobs with a filter: Documentation JCL/Script Job settings Log Output Statistics Why Determines which of the following actions associated users can perform on all jobs or on specific jobs with a filter: Bypass Confirm Delete Edit JCL/Script Edit job settings Free HoldA job action that stops the job from executing or pauses a job that has already started executing Kill Rerun Restore (Un-Delete) Set to OK To add a filter, which includes or excludes jobs, click Add a filter and then apply the required If statement. If you want to add another group of fields which, when met, can include more fields, even if the other group of fields do not meet the conditions, click Add Condition and then select Add And Condition or Add Or Condition.
Service permissions	Grants associated users or groups of users access to view services, perform job actions, run, hold, and release services, as follows: Service Name or Pattern: Defines the name of the service that associated users can access Drill-Down to View Jobs: Enables the associated users to view jobs inside a service.
Archived Viewpoints	Grants associated users access to Archived Viewpoints, as follows: None: Disables access to Archived Viewpoints Full: Enables associated users to add, edit, and delete Archived Viewpoints
Tools	Determines whether to allow access to Application IntegratorA Control-M component that enables you to create an integration with a third-party business application, and then create custom job types that perform specialized tasks on your application, CalendarsA reusable job schedule that you can apply to many jobs, which enables you to perform schedule changes from a single location, EventsAn entity that creates a sequence relationship between jobs by enabling the successor job to execute after the predecessor job has executed, Resource PoolsA type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access, Lock ResourcesA type of resource that controls the flow of the workflow, which represents a physical or logical device that a folder, sub-folder, or job can access exclusively or share, Site StandardsA set of rules that are relevant to your organization and applied on the folder level, and that determines how users must define folders and jobs, and User ViewsA customization of the Control-M interface, which enables users to view specific functionality only.
Application Integrator	Grants associated users access to Application Integrator, as follows: None: Disables the associated users to open Application Integrator. Browse: Enables the associated users to view existing job types. Users cannot deploy, modify, or create new job types. Update: Enables the associated users to deploy, modify, and create new job types. Users cannot undeploy. Full: Enables the associated users to perform all actions.
Calendars	Grants access to specific calendars with an authorization level for each calendar, as follows: Calendar Name: Defines the name of the calendar that associated users can access Browse: Enables the associated users to view calendars Update: Enables the associated users to add and edit calendars Full: Enables the associated users to add, edit, and delete calendars
Events	Grants access to specific events with an authorization level for each event, as follows: Event Name: Defines the name of the event that associated users can access Browse: Enables the associated users to view event Update: Enables the associated users to add and edit event Full: Enables the associated users to add, edit, and delete event
Lock Resources	Grants access to specific Lock Resources with an authorization level for each Lock Resource, as follows: Name: Defines the name of the Lock Resource that associated users can access Browse: Enables the associated users to view Lock Resources Update: Enables the associated users to add and edit Lock Resources Full: Enables the associated users to add, edit, and delete Lock Resources
Pool Variables (API only)	Grants associated users access to named pool variables using API commands, as follows: Variable Name: Defines the name of the named pool variable Browse: Enables the associated users to view named pool variables Update: Enables the associated users to add and edit named pool variables Full: Enables the associated users to add, edit, and delete named pool variables
Reports	Grants access to Reports, as follows: None: Disables access to Reports Full: Enables the associated users to add, edit, and delete Reports
Resource Pools	Grants access to specific Resource Pools with an authorization level for each Resource Pool, as follows: Name: Defines the name of the Resource Pool that associated users can access Browse: Enables the associated users to view Resource Pools Update: Enables the associated users to add and edit Resource Pools Full: Enables the associated users to add, edit, and delete Resource Pools
Secrets	Grants access to specific Automation API Config secrets in the JSON with an authorization level for each secret, as follows: Secret Name: Defines the name of the secret that associated users can access Browse: Enables the associated users to view API secrets Update: Enables the associated users to add and edit API secrets Full: Enables the associated users to add, edit, and delete API secrets After you update the role, you must regenerate an API token to use the updated authorizations, as described in Creating an API Token.
Site Standards	Grants access to specific Site Standards with an authorization level for each Site Standard, as follows: Site Standard Name: Defines the name of the Site Standards that associated users can access Browse: Enables the associated users to view Site Standards Update: Enables the associated users to add and edit Site Standards Full: Enables the associated users to add, edit, and delete Site Standards Site Standard Policy Access Level: Grants access to specific Site Standard policies with an authorization level for each Site Standard policy, as follows: Browse: Enables the associated users to view Site Standard policies Update: Enables the associated users to add and edit Site Standard policies Full: Enables the associated users to add, edit, and delete Site Standard policies
User Views	Grants access to specific user views with an authorization level for each user view, as follows: User View Name: Defines the name of the user view that associated users can access Browse: Enables the associated users to view User Views Update: Enables the associated users to add and edit User Views Full: Enables the associated users to add, edit, and delete User Views
Configuration	Enables the Administrator to delegate control to users to carry out specific administrative tasks on Agents, plug-insA Control-M component that extends functionality to third-party applications like Hadoop or SAP and integrates plug-in jobs with other jobs into a single workflow, and connection profilesA profile that contains the connection parameters to a specific application, such as hostname, port, username, and password. Users can create, configure, and monitor their resources, which eliminates the dependencies on the Control-M Administrator. The Control-M Administrator can restrict access and control to the users to their defined resources, without exposing other resources in the environment.
Agents	Grants access to specific Agents as follows: Agent/Host Group Tag: Defines a logical name that is used to label specific Agents into a group with a specific authorization level. You can only define one tag per Agent. Users can define their own tags with the asterisk character if they have the correct permissions. For example, if users have been assigned the Agent tag with the value Fin*, they can define their own tag names when they install Agents, such as FinDev or FinOps. Browse: Enables the associated users to view Agents Update: Enables the associated users to install, recycle, ping, disable, and enable Agents Full: Enables the associated users to edit and delete Agents in addition to the permissions in the Update access level
Plug-ins	Grants access to specific plug-ins with an authorization level for each plug-in, as follows: Agent Tag: Determines which Agent tags the associated users have access to Plug-in Type: Determines which plug-ins associated users have access to, such as AWS or Database. Browse: Enables the associated users to view plug-ins Update: Enables the associated users to view and edit plug-ins Full: Enables the associated users to delete plug-ins in addition to the permissions in the Update access level
Connection Profiles	Grants access to specific connection profiles with an authorization level for each connection profile, as follows: Name: Determines which connection profiles associated users have access to Plug-in Type: Determines which plug-ins associated users have access to, such as AWS or Database. Browse: Enables the associated users to view connection profiles Update: Enables the associated users to view and edit connection profiles Full: Enables the associated users to delete Plug-ins in addition to the permissions in the Update access level
Users and Roles	Grants associated users access to users and roles, as follows: Browse: Enables the associated users to view user and roles Update: Enables the associated users to create and edit existing users and roles Full: Enables the associated users to create, edit, and delete users and roles To generate new API tokensA user authentication token used when running Automation API commands based on all available roles, API token management administration requires at least browse access for user and roles.
Run as Definition	Grants associated users access to manage Run as User definitions, as follows: Browse: Enables the associated users to view Run as Users Update: Enables the associated users to create and edit existing Run as Users Full: Enables the associated users to create, edit, and delete Run as Users
Admin Management	Grants associated users access to the following categories, as follows: Authorizations/Users & Roles: Grants associated users to apply authorizations on other users in Control-M/EM, as follows: None: Disables the associated users to view other users Browse : Enables the associated users to view other users Update: Enables the associated users to add and edit other users Full: Enables the associated users to delete other users Configuration: Grants associated users access to Control-M/EM, Control-M/Server, and Control-M/Agent components, as follows: None: Disables the associated users to view components Browse : Enables the associated users to view components Update: Enables the associated users to add and edit components Full: Enables the associated users to delete components Operation: Grants associated users access to start, stop, recycle, and ignore components, as follows: None: Disables the associated users access to Operation actions Update: Enables the associated users to start, stop, recycle, and ignore components Full: Enables the associated users to start, stop, recycle, and ignore components Security: Grants associated users access to Control-M/Server user and roles, as well create, edit, copy, export, test, and delete connection profiles fora plug-in, as follows: None: Disables the associated users access to Security Browse : Enables the associated users to view Control-M/Server user and roles and connection profiles Update: Enables the associated users to add and edit Control-M/Server user and roles and connection profiles Full: Enables the associated users to delete Control-M/Server user and roles and connection profiles If the access levels defined in Configuration and Security are higher than those defined in Agents and Host Groups, Plug-ins, and, Connection Profiles, the definitions in Admin Management take precedence and vice versa.
Advanced Admin Authorizations	Grants associated users full permissions to access Agents, connection profiles, plug-ins, Host Groups, System Settings, and API Token management. To enable access to API Token management, you must verify that the Automation API access checkbox is enabled in the General tab. If the Automation API access checkbox is enabled and this option is disabled, associated users can only view their own API Tokens. If both options are enabled, associated users can view and delete API tokens that were created by other users, as well. In addition, they can generate new tokens with a different role authorization.
Alerts	Determines whether to allow access to alertsA notification about the status of a job or a component that appears in the Alerts window and with one of the following access levels: Browse: Enables the associated users to view alerts Update: Enables the associated users to update alerts Full: Enables the associated users to update alerts