User and Role Authorizations

You can create new users and roles, which enable you to limit what a user is authorized to view or change. Users are granted permissions based on their associated role.

If Role_A is authorized to view and change Folder_A and Calendar_A, then all associated users that are assigned Role_A have the same type of access to those entities.

There are three predefined roles in Control-M, as follows:

Administrator: Enables full access to all functionality.
Team Leader: Enables partial access with the ability to manage permissions for each member of the team.
Viewer: Enables view access only.

To configure authentication for all Control-M users, BMC recommends that you perform these procedures, in the following order:

You can create internal users in Control-M. However, BMC recommends that you configure a connection to an Identity Provider (IdP). This enables you to authenticate multiple external users with one configuration, instead of creating individual internal users in Control-M. To connect Control-M to an IdP, see Configuring Authentication with an IdP. After an IdP is enabled, all users are authenticated via SAML 2.0. You can log in with SSO to Helix Control-M via the tenant URL.

If the IdP is down, users that are assigned to Administrator roles can still log in using an Emergency URL, which enables Emergency users access to Control-M. An Emergency user is any internal user that is associated with the Administrator role. BMC recommends that you bookmark or record the Emergency URL. If the IdP becomes unavailable, you will need this URL to log in to Control-M. To edit the list of existing Emergency users, you must disable the IdP configuration, as described in Updating Emergency Users. After it is disabled, users that are authenticated with the IdP cannot log in to Control-M. After you have updated the list of users and the IdP becomes available, re-enable IdP.

Before you delete a role, identify the Agent tagsA logical name that is used to label specific Agents in a group that has a specific authorization level. that are associated with the role. After you delete the role, you must delete any Agent tokensAn authorization entity, required during Agent installation, which enables you to connect the Agent to your Helix Control-M backend. that are associated with the Agent tags that you identified.

Adding a Role

This procedure describes how to create a role, which limits the associated users to specific authorizations and access levels.

Begin

From the icon, select Configuration.

The Configuration domain appears.
From the drop-down list, select Roles.

The Roles pane appears.
Click Add Role.

The Add Role pane appears.
In the General tab, do the following:
1. In the Role Name field, type a logical name for the role.
2. In the Description field, type a description for the role.
3. If you want this role to have access to Automation APIA set of programmatic interfaces that provides developers and DevOps engineers access to the capabilities of Helix Control-M within the modern application release process., select the Automation API Access checkbox.
4. Do one of the following:
  - To associate users in a specific organizational group in IdP , from the Associated with Organizational Groups drop-down list, select or search for the organizational groups in your IdP that you want to associate with this role.
    If the list is empty, you must manually add the names of the IdP groups: type the name of the group and click Add. The IdP group names are case sensitive and must appear exactly as they are in the IdP .
  - To explicitly associate a specific IdP user, regardless of the organizational group, from the Associated with Organizational Users drop-down list, select or search for the organizational user in your IdP that you want to associate with this role.
    If the list is empty, you must manually add the IdP user: type the name of the user and click Add. The IdP and LDAP user names are case sensitive and must appear exactly as they are in the IdP .
In the Access Control tab, select one or more of the checkboxes to give specific authorizations for this role, as described in Role Authorizations.
Click Add.

Creating an Internal User

This procedure describes how to add an internal user in Control-M. User authorizations are determined by the roles that are associated with the user.

Begin

From the icon, select Configuration.

The Configuration domain appears.
From the drop-down list, select Users.

The Users pane appears.
Click Add User.

The Add User pane appears.
In the Email field, type the email address of the new user.

A confirmation email is sent to the new user, with a link to Helix Control-M and a temporary password for first-time use. The password expires in seven days. If the password expires, you must delete and recreate the existing user.
In the Assigned Roles drop-list, select one or more existing roles to assign to this user.

Roles determine what the user has access to throughout Control-M. To create a role, see Adding a Role.
Click Add.

The new user appears in the Users pane.

Updating Emergency Users

This procedure describes how to update Emergency users in the event that IdP becomes unavailable (breaking glass procedure). This enables you and other Emergency users to continue working in Control-M. You can update the list of Emergency users to enable or disable specific users access to Control-M.

Begin

From the icon, select Configuration.

The Configuration domain appears.
From the drop-down list, select System Settings.

The System Settings pane appears.
From the Identity Provider (IdP) drop-down, clear the Enable SAML 2.0 checkbox.
Click Save.

You are now working in Emergency mode and all users authenticated via IdP cannot log in to Control-M. Emergency users can log in with the following URL:
Emergency URL: <tenant_name>-emergency
To add an Emergency user, assign the Admin role to the user, as described in Creating an Internal User.
Send the Emergency URL to all Emergency users.
After the IdP becomes available, check the Enable SAML 2.0 checkbox.

Role Authorizations

The following table describes authorizations that you can apply to a role. All associated users to this role inherit the selected authorizations.

Authorization	Description
Planning	Determines whether to allow access to specific folders, Run as UsersAn OS account name that is used to execute jobs on the host., or Named Pool variablesA type of variable that you create in one job and can reference in subsequent jobs with the same Pool parameter. A Named Pool is a logical grouping of variables..
Folders	Grants access to specific folders with an access level for each folder, as follows: Server: Defines the name of the Server that processes the job. Folder Name: Defines the name of the folder that associated users can access. You can define the folder name with a regular expression. Access Level Browse: Enables associated users to view folders. Update: Enables associated users to add and edit folders. Full: Enables associated users to add, edit, and delete folders. Run: Determines whether associated users can runA Control-M process that adds your job to the Run Queue of the day, according to automatic or manual scheduling, and which enables the job to execute after it fulfills its prerequisites. specific folders. This option is independent of the access levels. You can enable associated users to run folders on all access levels. This option also determines whether associated users can use the Run option in the Monitoring domain. This authorization also determines whether associated users are granted access to the Folder Management tool.
Run As	Enables associated users to use the listed run as users or pattern in job definitionsThe set of parameters that defines what the job does, when it runs, its prerequisites, and the post-processing actions Control-M performs after it ends (also called a job processing definition).. Server: Defines the name of the Server that processes the job. Run as Name or Pattern: Identifies the username with the authorization to execute the job. Agent or Host Group: Defines the name of the AgentA Control-M component installed on a host (computer) that runs and monitors the jobs on the host. computer or host group where the job is submitted.
Monitoring	Determines whether to allow access to specific jobs and servicesA set of workflows that serves a business purpose, and can be monitored as a single unit..
Job Permissions	Determines which of the following actions associated users can perform on all jobs or on specific jobs with a filter: Bypass Confirm Delete Documentation Edit JCL/Script Edit Job Settings To enable this permission, the role must have Run As authorizations. Free Job Settings Log Output HoldA job action that stops the job from executing or pauses a job that is currently executing. Kill Rerun Restore (Un-Delete) Set to OK Statistics Why To add a filter, which includes or excludes jobs, click Add a Filter from the Including Filters or Excluding Filters section, and then apply the required If statement. If you want to add another group of fields which, when met, can include more fields, even if the other group of fields do not meet the conditions, click Add Condition and then select Add And Condition or Add Or Condition.
Service Permissions	Grants associated users or groups of users access to view services, perform job actions, run, hold, and release services, as follows: Service Name or Pattern: Defines the name of the service that associated users can access Drill-Down to View Jobs: Enables associated users to view jobs inside a service.
Archived Viewpoints	Grants associated users access to Archived Viewpoints, as follows: None: Disables associated user access to Archived Viewpoints. Full: Enables associated users to add, edit, and delete Archived Viewpoints.
Tools	Determines whether to allow access to Application IntegratorA Control-M component that enables you to create a third-party business application integration (plug-in), and create custom job types that perform specialized tasks in your environment., CalendarsA reusable job schedule that you can apply to many jobs, which enables you to perform scheduling changes from a single location., EventsAn conditional entity that creates a sequential relationship between jobs by enabling the successor job to execute after the predecessor job has executed., Resource PoolsA type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access., Lock ResourcesA type of prerequisite that controls the flow of the workflow, which represents a physical or logical device that folders, sub-folders, or jobs can exclusively access or share., Site StandardsA set of rules that are relevant to your organization, are applied on the folder level, and determine how users must define folders and jobs., and User ViewsA customization of the Control-M interface, which enables users to view specific functionality only..
Application Integrator	Grants associated users access to Application Integrator, as follows: None: Disables associated user access to open Application Integrator. Browse: Enables associated users to view existing job types. Users cannot deploy, modify, or create new job types. Update: Enables associated users to deploy, modify, and create new job types. Users cannot undeploy. Full: Enables associated users to perform all actions.
Calendars	Grants access to specific calendars with an access level for each calendar, as follows: Server: Defines the name of the Server that processes the job. Calendar Name: Defines the name of the calendar that associated users can access. Browse: Enables associated users to view calendars. Update: Enables associated users to add and edit calendars. Full: Enables associated users to add, edit, and delete calendars.
Events	Grants access to specific events with an access level for each event, as follows: Server: Defines the name of the Server that processes the job. Event Name: Defines the name of the event that associated users can access. Browse: Enables associated users to view the event. Update: Enables associated users to add and edit the event. Full: Enables the associated users to add, edit, and delete the event.
History Reports	Grants access to History Reports, as follows: None: Disables associated user access to History Reports. Full: Enables associated users to add, edit, and delete History Reports.
Lock Resources	Grants access to specific Lock Resources with an access level for each Lock Resource, as follows: Server: Defines the name of the Server that processes the job. Name: Defines the name of the Lock Resource that associated users can access. Browse: Enables associated users to view the Lock Resource. Update: Enables associated users to add and edit the Lock Resource. Full: Enables the associated users to add, edit, and delete the Lock Resource.
(API Only) Pool Variables	Grants access to Named Pool variables using API commands, as follows: Server: Defines the name of the Server that processes the job. Variable Name: Defines the name of the Named Pool variable. Browse: Enables associated users to view the Named Pool variable. Update: Enables associated users to add and edit the Named Pool variable. Full: Enables associated users to add, edit, and delete the Named Pool variable.
Reports	Grants access to Reports, as follows: None: Disables associated user access to Reports. Full: Enables associated users to add, edit, and delete Reports
Resource Pools	Grants access to specific Resource Pools with an authorization level for each Resource Pool, as follows: Server: Defines the name of the Server that processes the job. Name: Defines the name of the Resource Pool that associated users can access. Browse: Enables associated users to view the Resource Pool. Update: Enables the associated users to add and edit the Resource Pool. Full: Enables the associated users to add, edit, and delete the Resource Pool.
Secrets	Grants access to specific Automation API Config secrets in the JSON with an access level for each secret, as follows: Secret Name: Defines the name of the secret that associated users can access. Browse: Enables associated users to view the API secret. Update: Enables associated users to add and edit the API secret. Full: Enables the associated users to add, edit, and delete the API secret. After you update the role, you must regenerate an API token to use the updated authorizations, as described in Creating an API Token.
Site Standards	Grants access to specific Site Standards with an access level for each Site Standard, as follows: Site Standard Name: Defines the name of the Site Standard that associated users can access. Browse: Enables associated users to view the Site Standard. Update: Enables associated users to add and edit the Site Standard. Full: Enables associated users to add, edit, and delete the Site Standard. Site Standard Policy Access Level: Grants access to specific Site Standard Policies with an authorization level for each Site Standard Policy, as follows: Browse: Enables associated users to view the Site Standard Policy. Update: Enables associated users to add and edit the Site Standard Policy. Full: Enables associated users to add, edit, and delete the Site Standard Policy.
SLA Management Reports	Grants access to SLA Management Reports, as follows: None: Disables associated user access to SLA Management Reports. Full: Enables associated users to add, edit, and delete SLA Management Reports.
User Views	Grants access to specific user views with an access level for each user view, as follows: User View Name: Defines the name of the user view that associated users can access. Browse: Enables associated users to view the user view. Update: Enables the associated users to add and edit the user view. Full: Enables the associated users to add, edit, and delete the user view.
Configuration	Enables Administrators to delegate control to users to carry out specific administrative tasks on Agents, plug-insA Control-M component that extends functionality to third-party applications like Hadoop or SAP and can be integrated with other jobs in a single workflow., and connection profilesA profile that contains the connection parameters to a specific plug-in, including the hostname, port, username, and password.. Users can create, configure, and monitor their resources, which eliminates the dependencies on the Control-M Administrators. The Control-M Administrators can restrict access and control to the users to their defined resources, without exposing other resources in the environment.
Agents, Remote Hosts, , and Host Groups	Grants access to specific Agents, Remote Hosts, , and Host Groups, as follows: Server: Defines the name of the Server that is connected to the selected Agents, Remote Hosts, , or Host Groups. Tag: Defines a logical name that is used to label specific Agents, Remote Hosts, , or Host Groups with a specific access level. You can only define one tag per Agent, Agentless Host, or Host Group. Users can define their own tags with the * (asterisk) wildcard if they have the correct permissions. If users are assigned the Agent tag with the value Fin*, they can define their own tag names when they install Agents, such as FinDev or FinOps. Browse: Enables associated users to view the Agents, Remote Hosts, , or Host Groups. Update: Enables associated users to install, recycle, ping, disable, and enable the Agents, Remote Hosts, , or Host Groups. Full: Enables associated users to edit and delete the Agents, Remote Hosts, , or Host Groups, in addition to the permissions granted in the Update access level.
Plug-ins	Grants access to specific plug-ins with an authorization level for each plug-in, as follows: Server: Defines the name of the Servers that are connected to the selected Agents. Agent Tag: Determines which Agent tags associated users have access to. Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases. Browse: Enables associated users to view the plug-ins. Update: Enables associated users to view and edit the plug-ins. Full: Enables associated users to delete the plug-ins, in addition to the permissions granted in the Update access level.
Connection Profiles	Grants access to specific connection profiles with an access level for each connection profile, as follows: Server: Defines the name of the Servers that are connected to the selected Agents. Name: Determines which connection profiles associated users have access to. Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases. Browse: Enables associated users to view the connection profiles. Update: Enables associated users to view and edit the connection profiles. Full: Enables the associated users to delete the plug-ins, in addition to the permissions granted in the Update access level.
Users and Roles	Grants associated users access to users and roles, as follows: Browse: Enables associated users to view users and roles. Update: Enables associated users to create and edit users and roles. Full: Enables associated users to create, edit, and delete users and roles. To generate new API tokensA user authentication token used when running Automation API commands. based on all available roles, API token management administration requires at least Browse access for users and roles.
Run as Definition	Grants associated users access to manage Run as User definitions, as follows: Server: Lists the name of the Server that the user is authorized to create Run as Users in Run as Users, as described in Adding a Run as User. Browse: Enables associated users to view Run as Users. Update: Enables associated users to create and edit Run as Users. Full: Enables associated users to create, edit, and delete Run as Users.
Admin Management	Grants associated users access to the following categories, as follows: Authorizations/Users & Roles: Grants associated users to apply authorizations on other users in Control-M/EM, as follows: None: Disables associated user access to view other users. Browse : Enables associated users to view other users. Update: Enables associated users to add and edit other users. Full: Enables associated users to delete other users. Configuration: Grants associated users access to Server, Server, and Agent components, as follows: None: Disables associated user access to view components. Browse : Enables associated users to view components. Update: Enables associated users to add and edit components. Full: Enables associated users to delete components. Operation: Grants associated users access to start, stop, recycle, and ignore components, as follows: None: Disables associated user access to Operation actions. Update: Enables associated users to start, stop, recycle, and ignore components. Full: Enables associated users to start, stop, recycle, and ignore components. Security: Grants associated users access to Server users and roles, as well create, edit, copy, export, test, and delete connection profiles fora plug-in, as follows: None: Disables associated user access to Security. Browse : Enables associated users to view Server users, roles, and connection profiles. Update: Enables associated users to add and edit Server users, roles, and connection profiles. Full: Enables associated users to delete Server users, roles, and connection profiles. If the access levels defined in Configuration and Security are higher than those defined in Agents, Remote Hosts, , or Host Groups, Plug-ins, and, Connection Profiles, the definitions in Admin Management take precedence, and vice versa.
Advanced Admin Authorizations	Grants associated users full permissions to access Agents, connection profiles, plug-ins, Host Groups, System Settings, and API Token Management. To enable access to API Token Management, you must verify that the Automation API Access checkbox is selected in the General tab. If the Automation API Access checkbox is selected and this option is disabled, associated users can only view their own API Tokens. If both options are enabled, associated users can view their own API tokens, and view and delete API tokens that were created by other users. They can also generate new tokens with different role authorizations.
Alerts	Determines whether to allow access to alertsA notification about the status of a job or component that appears in the Alerts window. with one of the following access levels: Browse: Enables associated users to view alerts. Update: Enables associated users to update alerts. Full: Enables associated users to update alerts.