User and Role Authorizations

You can create new users and roles, which enable you to limit what a user is authorized to view or change. Users are granted permissions based on their associated role.

If Role_A is authorized to view and change Folder_A and Calendar_A, then all associated users that are assigned Role_A have the same type of access to those entities.

There are three predefined roles in Control-M, as follows:

Administrator: Enables full access to all functionality.
Team Leader: Enables partial access with the ability to manage permissions for each member of the team.
Viewer: Enables view access only.

To configure authentication for all Control-M users, BMC recommends that you perform these procedures, in the following order:

Adding a Role
Creating an Internal User
Defining System Settings

You can create internal users in Control-M. However, BMC recommends that you configure a connection to an Identity Provider (IdP) . This enables you to authenticate multiple external users with one configuration, instead of creating individual internal users in Control-M. To connect Control-M to an IdP, see Defining System Settings. After an IdP is enabled, all users are authenticated via SAML 2.0. You can log in with SSO to Helix Control-M via the tenant URL.

If the IdP is down, users that are assigned to Administrator roles can still log in using an Emergency URL, which enables Emergency users access to Control-M. An Emergency user is any internal user that is associated with the Administrator role. BMC recommends that you bookmark or record the Emergency URL. If the IdP becomes unavailable, you will need this URL to log in to Control-M. To edit the list of existing Emergency users, you must disable the IdP configuration, as described in Updating Emergency Users. After it is disabled, users that are authenticated with the IdP cannot log in to Control-M. After you have updated the list of users and the IdP becomes available, re-enable IdP.

Before you delete a role, identify the Agent tags A logical name that is used to label specific Agents in a group that has a specific authorization level. that are associated with the role. After you delete the role, you must delete any Agent tokens An authorization entity, required during Agent installation, which enables you to connect the Agent to your Helix Control-M backend. that are associated with the Agent tags that you identified.

Adding a Role

This procedure describes how to create a role, which limits the associated users to specific authorizations and access levels.

Begin

From the icon, select Configuration.

The Configuration domain appears.
From the drop-down list, select Roles.

The Roles pane appears.
Click Add Role.

The Add Role pane appears.
In the General tab, do the following:
1. In the Role Name field, type a logical name for the role.
2. In the Description field, type a description for the role.
3. Select the Automation API Access checkbox to grant this role access to Automation API A set of programmatic interfaces that provides developers and DevOps engineers access to the capabilities of Helix Control-M within the modern application release process..
4. Do one of the following:
  - To associate users in a specific organizational group in IdP , from the Associated with Organizational Groups drop-down list, select or search for the organizational groups in your IdP that you want to associate with this role.
    If the list is empty, you must manually add the names of the IdP groups: type the name of the group and click Add. The IdP group names are case sensitive and must appear exactly as they are in the IdP .
  - To explicitly associate a specific IdP user, regardless of the organizational group, from the Associated with Organizational Users drop-down list, select or search for the organizational user in your IdP that you want to associate with this role.
    If the list is empty, you must manually add the IdP user: type the name of the user and click Add. The IdP and LDAP user names are case sensitive and must appear exactly as they are in the IdP .
In the Access Control tab, select one or more of the checkboxes to give specific authorizations for this role, as described in Role Authorizations.
Click Save.

Creating an Internal User

This procedure describes how to add an internal user in Control-M. User authorizations are determined by the roles that are associated with the user.

Begin

From the icon, select Configuration.
The Configuration domain appears.
From the drop-down list, select Users.

The Users pane appears.
Click Add User.

The Add User pane appears.
In the Email field, type the email address of the new user.

A confirmation email is sent to the new user, with a link to Helix Control-M and a temporary password for first-time use. The password expires in seven days. If the password expires, you must delete and recreate the existing user.
In the Assigned Roles drop-list, select one or more existing roles to assign to this user.

Roles determine what the user has access to throughout Control-M. To create a role, see Adding a Role.
Click Add.

The new user appears in the Users pane.

Updating Emergency Users

This procedure describes how to update Emergency users in the event that IdP becomes unavailable (breaking glass procedure). This enables you and other Emergency users to continue working in Control-M. You can update the list of Emergency users to enable or disable specific users access to Control-M.

Begin

From the icon, select Configuration.

The Configuration domain appears.
From the drop-down list, select System Settings.

The System Settings pane appears.
From the Identity Provider (IdP) drop-down, clear the Enable SAML 2.0 checkbox.
Click Save.

You are now working in Emergency mode and all users authenticated via IdP cannot log in to Control-M. Emergency users can log in with the following URL:
Emergency URL: <tenant_name>-emergency
To add an Emergency user, assign the Admin role to the user, as described in Creating an Internal User.
Send the Emergency URL to all Emergency users.
After the IdP becomes available, check the Enable SAML 2.0 checkbox.

Role Authorizations

The following table describes authorizations that you can apply to a role in the Access Control tab. All users associated with this role inherit the defined authorizations.

Authorization	Description
Planning	Determines whether to allow access to specific folders, Run as Users An OS account name that is used to execute jobs on the host., or Named Pool variables A type of variable that you create in one job and can reference in subsequent jobs with the same Pool parameter. A Named Pool is a logical grouping of variables..
Folders	Grants access to specific folders with an access level for each folder, as follows: Server: Defines the name of the Server that processes the job. Folder Name: Defines the name of the folder that associated users can access. You can define the folder name with a regular expression. Access Level Browse: Enables associated users to view folders. Update: Enables associated users to add and edit folders. Full: Enables associated users to add, edit, and delete folders. Run: Determines whether associated users can run A Control-M process that adds your job to the Run Queue of the day, according to automatic or manual scheduling, and which enables the job to execute after it fulfills its prerequisites. specific folders. This option is independent of the access levels. You can enable associated users to run folders on all access levels. This option also determines whether associated users can use the Run option in the Monitoring domain. Job Permissions: Determines whether to enable authorizations on jobs in a specific folder, based on the Application and Sub-application criteria and according to the defined access level. This authorization also determines whether associated users are granted access to the Folder Management tool.
Run As	Enables associated users to use the listed run as users or pattern in job definitions The set of parameters that defines what the job does, when it runs, its prerequisites, and the post-processing actions Control-M performs after it ends (also called a job processing definition).. Server: Defines the name of the Server that processes the job. Run as Name or Pattern: Identifies the username with the authorization to execute the job. Agent or Host Group: Defines the name of the Agent A Control-M component installed on a host (computer) that runs and monitors the jobs on the host. computer or host group where the job is submitted.
Monitoring	Determines whether to allow access to specific jobs and services A set of workflows that serves a business purpose, and can be monitored as a single unit..
Job Permissions	Determines which of the following actions and views are available to associated users, as follows: Actions: Associated users can perform any of the following actions when they are selected: Bypass Confirm Delete Edit JCL/Script Edit Jobs Settings To enable this permission, the role must have Run As authorizations. Free Hold A job action that stops the job from executing or pauses a job that is currently executing. Kill Rerun Restore (Un-Delete) Set to OK View: Associated users can perform any of the following actions when they are selected: Documentation JCL/Script Job Settings Log Output Statistics Why You can apply one or more Including Filters and Excluding Filters to grant or remove role access to jobs based on the job attributes, operators, and values that you define, as follows: If <Job Attribute> <Operator> <Value> Including Filters with an Or Condition If Run As Contains Billing OR If Host/Host Groups Exactly Accounts-Agent This including filter grants the role access to jobs when they run on the Accounts-Agentor when their Run As name contains the string Billing.
Service Permissions	Grants associated users or groups of users access to view services, perform job actions, run, hold, and release services, as follows: Service Name or Pattern: Defines the name of the service that associated users can access Drill-Down to View Jobs: Enables associated users to view jobs inside a service.
Historical (Archived) Viewpoints	Grants associated users access to Historical (Archived) Viewpoints, as follows: None: Disables associated user access to Historical Viewpoints. Full: Enables associated users to add, edit, and delete Historical Viewpoints.
Tools	Determines whether to allow access to Application Integrator A Control-M component that enables you to create a third-party business application integration (plug-in), and create custom job types that perform specialized tasks in your environment., Calendars A reusable job schedule that you can apply to many jobs, which enables you to perform scheduling changes from a single location., Events An conditional entity that creates a sequential relationship between jobs by enabling the successor job to execute after the predecessor job has executed., Resource Pools A type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access., Lock Resources A type of prerequisite that controls the flow of the workflow, which represents a physical or logical device that folders, sub-folders, or jobs can exclusively access or share., Site Standards A set of rules that are relevant to your organization, are applied on the folder level, and determine how users must define folders and jobs., and User Views A customization of the Control-M interface, which enables users to view specific functionality only..
Application Integrator	Grants associated users access to Application Integrator, as follows: None: Disables associated user access to open Application Integrator. Browse: Enables associated users to view existing job types. Users cannot deploy, modify, or create new job types. Update: Enables associated users to deploy, modify, and create new job types. Users cannot undeploy. Full: Enables associated users to perform all actions.
Calendars	Grants access to specific calendars with an access level for each calendar, as follows: Server: Defines the name of the Server that processes the job. Calendar Name: Defines the name of the calendar that associated users can access. Access Level Browse: Enables associated users to view calendars. Update: Enables associated users to add and edit calendars. Full: Enables associated users to add, edit, and delete calendars.
Events	Grants access to specific events with an access level for each event, as follows: Server: Defines the name of the Server that processes the job. Event Name: Defines the name of the event that associated users can access. Access Level Browse: Enables associated users to view the event. Update: Enables associated users to add and edit the event. Full: Enables the associated users to add, edit, and delete the event.
Global Events	Grants access to specific global events with an access level for each global event, as follows: Prefix: Defines the name of the global event prefix that the user has access to. Access Level Browse: Enables associated users to view global events. Update: Enables associated users to add and edit global events. Full: Enables associated users to add, edit, and delete global events.
History Reports	Grants access to History Reports, as follows: None: Disables associated user access to History Reports. Full: Enables associated users to add, edit, and delete History Reports.
Lock Resources	Grants access to specific Lock Resources with an access level for each Lock Resource, as follows: Server: Defines the name of the Server that processes the job. Name: Defines the name of the Lock Resource that associated users can access. Access Level Browse: Enables associated users to view the Lock Resource. Update: Enables associated users to add and edit the Lock Resource. Full: Enables the associated users to add, edit, and delete the Lock Resource.
Pool Variables (API only)	Grants access to Named Pool variables using API commands, as follows: Server: Defines the name of the Server that processes the job. Variable Name: Defines the name of the Named Pool variable. Access Level Browse: Enables associated users to view the Named Pool variable. Update: Enables associated users to add and edit the Named Pool variable. Full: Enables associated users to add, edit, and delete the Named Pool variable.
Reports	Grants access to Reports, as follows: None: Disables associated user access to Reports. Full: Enables associated users to add, edit, and delete Reports.
Resource Pools	Grants access to specific Resource Pools with an authorization level for each Resource Pool, as follows: Server: Defines the name of the Server that processes the job. Name: Defines the name of the Resource Pool that associated users can access. Access Level Browse: Enables associated users to view the Resource Pool. Update: Enables the associated users to add and edit the Resource Pool. Full: Enables the associated users to add, edit, and delete the Resource Pool.
Secrets	Grants access to specific Automation API Config secrets in the JSON with an access level for each secret, as follows: Secret Name: Defines the name of the secret that associated users can access. Access Level Browse: Enables associated users to view the API secret. Update: Enables associated users to add and edit the API secret. Full: Enables the associated users to add, edit, and delete the API secret. After you update the role, you must regenerate an API token to use the updated authorizations, as described in Creating an API Token.
Site Standards	Grants access to specific Site Standards with an access level for each Site Standard, as follows: Site Standard Name: Defines the name of the Site Standard that associated users can access. Access Level Browse: Enables associated users to view the Site Standard. Update: Enables associated users to add and edit the Site Standard. Full: Enables associated users to add, edit, and delete the Site Standard. Site Standard Policy Access Level: Grants access to specific Site Standard Policies with an authorization level for each Site Standard Policy, as follows: Browse: Enables associated users to view the Site Standard Policy. Update: Enables associated users to add and edit the Site Standard Policy. Full: Enables associated users to add, edit, and delete the Site Standard Policy.
SLA Management Reports	Grants access to SLA Management Reports, as follows: None: Disables associated user access to SLA Management Reports. Full: Enables associated users to add, edit, and delete SLA Management Reports.
User Views	Grants access to specific user views with an access level for each user view, as follows: User View Name: Defines the name of the user view that associated users can access. Access Level Browse: Enables associated users to view the user view. Update: Enables the associated users to add and edit the user view. Full: Enables the associated users to add, edit, and delete the user view.
Workload Policies	Grants access to specific Workload Policies with an access level for each Workload Policy, as follows: Workload Policy Name: Defines the name of the Workload Policy that associated users can access. Access Level Browse: Enables associated users to view the Workload Policy. Update: Enables associated users to add and edit the Workload Policy. Full: Enables associated users to add, edit, and delete the Workload Policy.
Configuration	Enables Administrators to delegate control to users to carry out specific administrative tasks on Agents, plug-ins A Control-M component that extends functionality to third-party applications like Hadoop or SAP and can be integrated with other jobs in a single workflow., and connection profiles A profile that contains the connection parameters to a specific plug-in, including the hostname, port, username, and password.. Users can create, configure, and monitor their resources, which eliminates the dependencies on the Control-M Administrators. The Control-M Administrators can restrict access and control to the users to their defined resources, without exposing other resources in the environment.
Admin Management	Grants associated users access to the following categories, as follows: Authorizations/Users & Roles: Enables associated users to apply authorizations on other users in Control-M/EM, as follows: None: Disables associated user access to view other users. Browse : Enables associated users to view other users. Update: Enables associated users to add and edit other users. Full: Enables associated users to delete other users. Configuration: Enables associated users to access Server, Server, Agent, and Agentless Host components, as follows: None: Disenables associated users to view components. Browse : Enables associated users to view components. Update: Enables associated users to add and edit components. Full: Enables associated users to delete components. Operation: Enables associated users access to authorized SSH known hosts, and enables users to start, stop, recycle, and ignore components, as follows: None: Disables associated user access to Operation actions. Update: Enables associated users to start, stop, recycle, and ignore components. Full: Enables associated users to start, stop, recycle, and ignore components. Security: Enables associated users access to SSH keys and Server users and roles, and enables users to create, edit, copy, export, test, and delete connection profiles fora plug-in, as follows: None: Disables associated user access to Security. Browse : Enables associated users to view Server users, roles, and connection profiles. Update: Enables associated users to add and edit Server users, roles, and connection profiles. Full: Enables associated users to delete Server users, roles, and connection profiles. If the access levels defined in Configuration and Security are higher than those defined in Agents, Agentless Hosts, or Host Groups, Plug-ins, and, Connection Profiles, the definitions in Admin Management take precedence, and vice versa.
Agents, Agentless Hosts, and Host Groups	Grants access to specific Agents, Agentless Hosts, and Host Groups, as follows: Server: Defines the name of the Server that is connected to the selected Agents, Agentless Hosts, or Host Groups. Tag: Defines a logical name that is used to label specific Agents, Agentless Hosts, or Host Groups with a specific access level. You can only define one tag per Agent, Agentless Host, or Host Group. Users can define their own tags with the * (asterisk) wildcard if they have the correct permissions. If users are assigned the Agent tag with the value Fin, they can define their own tag names when they install Agents, such as FinDev or FinOps. Access Level*s Browse: Enables associated users to view the Agents, Agentless Hosts, or Host Groups. Update: Enables associated users to install, recycle, ping, disable, and enable the Agents, Agentless Hosts, or Host Groups. Full: Enables associated users to edit and delete the Agents, Agentless Hosts, or Host Groups, in addition to the permissions granted in the Update access level.
Plug-ins	Grants access to specific plug-ins with an authorization level for each plug-in, as follows: Server: Defines the name of the Servers that are connected to the selected Agents. Agent Tag: Determines which Agent tags A logical name that is used to label specific Agents in a group that has a specific authorization level. associated users have access to. Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases. Access Level Browse: Enables associated users to view the plug-ins. Update: Enables associated users to view and edit the plug-ins. Full: Enables associated users to delete the plug-ins, in addition to the permissions granted in the Update access level.
Connection Profiles	Grants access to specific connection profiles with an access level for each connection profile, as follows: Server: Defines the name of the Servers that are connected to the selected Agents. Agent Tag: Determines which Agent tags A logical name that is used to label specific Agents in a group that has a specific authorization level. associated users have access to. Name: Determines which connection profiles associated users have access to. Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases. Access Level Browse: Enables associated users to view the connection profiles. Update: Enables associated users to view and edit the connection profiles. Full: Enables the associated users to create and delete connection profiles, in addition to the permissions granted in the Update access level.
Run as Definitions	Enables associated users to manage Run-as-User definitions, as follows: Server: Lists the name of the Server that the user is authorized to create Run as Users in Run as Users, as described in Adding a Run as User. Access Level: Browse: Enables associated users to view Run as Users. Update: Enables associated users to create and edit Run as Users. Full: Enables associated users to create, edit, and delete Run as Users.
Alerts	Determines whether to enables users to access alerts A notification about the status of a job or component that appears in the Alerts window. with one of the following access levels: Browse: Enables associated users to view alerts. Update: Enables associated users to update alerts. Full: Enables associated users to update alerts.