User and Role Authorizations

You can create new users and roles, which enable you to limit what a user is authorized to view or change. Users are granted permissions based on their associated role.

If Role_A is authorized to view and change Folder_A and Calendar_A, then all associated users that are assigned Role_A have the same type of access to those entities.

There are three predefined roles in Control-M, as follows:

Admin: Enables full access to all functionality.
TeamLeader: Enables partial access with the ability to manage permissions for each member of the team.
Viewer: Enables view access only.

To configure authentication for all Control-M users, BMC recommends that you perform these procedures, in the following order:

Identity Provider (IdP)AuthenticationLink copied to clipboard

You can create internal users in Control-M. However, BMC recommends that you configure a connection to an Identity Provider (IdP) . This enables you to authenticate multiple external users with one configuration, instead of creating individual internal users in Control-M. To connect Control-M to an IdP, see Configuring System Settings. After an IdP is enabled, all users are authenticated via SAML 2.0. You can log in with SSO to Control-M SaaS via the tenant URL.

IDP and

If the IdP is down, users that are assigned to Administrator roles can still log in using an Emergency URL, which enables Emergency users access to Control-M. An Emergency user is any internal user that is associated with the Administrator role. BMC recommends that you bookmark or record the Emergency URL. If the IdP becomes unavailable, you will need this URL to log in to Control-M. To edit the list of existing Emergency users, you must disable the IdP configuration, as described in Updating Emergency Users. After it is disabled, users that are authenticated with the IdP cannot log in to Control-M. After you have updated the list of users and the IdP becomes available, re-enable IdP.

Before you delete a role, identify the Agent tags that are associated with the role. After you delete the role, you must delete any Agent tokens that are associated with the Agent tags that you identified.

Adding a RoleLink copied to clipboard

This procedure describes how to create a role, which limits the associated users to specific authorizations and access levels.

Begin

From the icon, select Configuration.

The Configuration domain opens.
From the drop-down list, select Roles.

The Roles tab appears.
Click Add Role.

The Add Role dialog box appears.
In the Role Details tab in the Add Role dialog box, do the following:
1. In the Role Name field, type a logical name for the role.
2. (Optional) In the Description field, type a description for the role.
3. Select the Automation API Access checkbox to grant this role access to Automation API.
4. Do one of the following:
  - To associate users in a specific organizational group in IdP , from the Associated with Organizational Groups drop-down list, select or search for the organizational groups in your IdP that you want to associate with this role.
    If the list is empty, you must manually add the names of the IdP groups: type the name of the group and click Add. The IdP group names are case sensitive and must appear exactly as they are in the IdP .
  - To explicitly associate a specific IdP user, regardless of the organizational group, from the Associated with Organizational Users drop-down list, select or search for the organizational user in your IdP that you want to associate with this role.
    If the list is empty, you must manually add the IdP user: type the name of the user and click Add. The IdP and LDAP user names are case sensitive and must appear exactly as they are in the IdP .
In the Access Control area, click on each tab to define the specific authorizations for this role, as described in Role Authorizations.
Click Save.

Creating an Internal UserLink copied to clipboard

This procedure describes how to add an internal user in Control-M. User authorizations are determined by the roles that are associated with the user.

Begin

From the icon, select Configuration.

The Configuration domain opens.
From the drop-down list, select Users.

The Users tab appears.
Click Add User.

The Add User dialog box appears.
In the Email field, type the email address of the new user.

A confirmation email is sent to the new user, with a link to Control-M SaaS and a temporary password for first-time use. The password expires in seven days. If the password expires, you must delete and recreate the existing user.
In the Assigned Roles drop-list, select one or more existing roles to assign to this user.

Roles determine what the user has access to throughout Control-M. To create a role, see Adding a Role.
Click Add.

The new user appears in the Users tab.

Updating Emergency UsersLink copied to clipboard

This procedure describes how to update Emergency users in the event that IdP becomes unavailable (breaking glass procedure). This enables you and other Emergency users to continue working in Control-M. You can update the list of Emergency users to enable or disable specific users access to Control-M.

Begin

From the icon, select Configuration.

The Configuration domain opens.
From the drop-down list, select System Settings.

The System Settings pane appears.
From the Identity Provider (IdP) drop-down, clear the Enable SAML 2.0 checkbox.
Click Save.

You are now working in Emergency mode and all users authenticated via IdP cannot log in to Control-M. Emergency users can log in with the following URL:
Emergency URL: <tenant_name>-emergency
To add an Emergency user, assign the Admin role to the user, as described in Creating an Internal User.
Send the Emergency URL to all Emergency users.
After the IdP becomes available, check the Enable SAML 2.0 checkbox.

Role AuthorizationsLink copied to clipboard

All users that are associated with a role inherit defined role authorizations. The following topics describe role authorizations that you can apply in the Add Role dialog box:

Planning
Monitoring
Tools
Configuration
Alerts

PlanningLink copied to clipboard

The following table describes Planning domain authorizations that determine whether access is granted to specific folders and jobs, Run as Users, connection profiles, or Named Pool variables.

Authorization	Description
Folders	Defines access levels for specific folders , as follows: Folder Permissions Control-M/Server: Defines the name of the Control-M/Server that processes the job. Library (z/OS): Defines the name of the library that contains the folder for the job. Folder Name: Defines the name of the folder that associated users can access. You can define the folder name with a regular expression. Access Level Browse: Enables associated users to view folders. Update: Enables associated users to add and edit folders. Full: Enables associated users to add, edit, and delete folders. Run: Determines whether associated users can run specific folders. This option is independent of the access levels. You can enable associated users to run folders on all access levels. This option also determines whether associated users can use the Run option in the Monitoring domain. Job Permissions: Determines whether to enable associated user access to jobs in a specific folder, based on the user-defined Application, Sub-application, and access level. Access Level Browse: Enables associated users to view jobs. Update: Enables associated users to add and edit jobs. Full: Enables associated users to add, edit, and delete jobs. This authorization also determines whether associated users are granted access to the Folder Management tool.
Run As	Defines access to specific Run as Users or centralized connection profiles in job definitions. Control-M/Server: Defines the Control-M/Servers that associated users can use to run jobs. Run as Name or Pattern: Defines the Run as Users or centralized connection profiles that associated users can use to run jobs. Wildcards are supported, as described in Pattern-Matching Strings. Single-host Control-M MFT connection profiles must be written to allow file transfers to and from the endpoint. Run as User: Operations_* MFT Connection Profile via Two Single Endpoints: CP_Accounts+CP_Engineering,CP_Engineering+CP_Accounts For more information, see Defining a File Transfer Job. Agent or Host Group: Defines the name of the Agent computer or host group where the job is submitted.

Authorization

Description

Folders

Defines access levels for specific folders , as follows:

Folder Permissions

Control-M/Server: Defines the name of the Control-M/Server that processes the job.
Library (z/OS): Defines the name of the library that contains the folder for the job.
Folder Name: Defines the name of the folder that associated users can access.

You can define the folder name with a regular expression.
Access Level
- Browse: Enables associated users to view folders.
- Update: Enables associated users to add and edit folders.
- Full: Enables associated users to add, edit, and delete folders.
Run: Determines whether associated users can run specific folders. This option is independent of the access levels. You can enable associated users to run folders on all access levels.

This option also determines whether associated users can use the Run option in the Monitoring domain.

Job Permissions: Determines whether to enable associated user access to jobs in a specific folder, based on the user-defined Application, Sub-application, and access level.

Access Level
- Browse: Enables associated users to view jobs.
- Update: Enables associated users to add and edit jobs.
- Full: Enables associated users to add, edit, and delete jobs.

This authorization also determines whether associated users are granted access to the Folder Management tool.

Run As

Defines access to specific Run as Users or centralized connection profiles in job definitions.

Control-M/Server: Defines the Control-M/Servers that associated users can use to run jobs.
Run as Name or Pattern: Defines the Run as Users or centralized connection profiles that associated users can use to run jobs. Wildcards are supported, as described in Pattern-Matching Strings.

Single-host Control-M MFT connection profiles must be written to allow file transfers to and from the endpoint.
- Run as User: Operations_*
- MFT Connection Profile via Two Single Endpoints: CP_Accounts*+CP_Engineering*,CP_Engineering*+CP_Accounts*
  
  For more information, see Defining a File Transfer Job.
Agent or Host Group: Defines the name of the Agent computer or host group where the job is submitted.

MonitoringLink copied to clipboard

The following table describes Monitoring domain authorizations that determine whether access is granted to specific jobs, , and historical (archived) viewpoints.


Job Permissions	Determines the accessibility of the following actions and views: Actions: Associated users can perform any of the following actions when they are selected: Bypass Confirm Delete Edit JCL/Script Edit Jobs Settings To enable this permission, the role must have Run As authorizations. Free Hold Kill (z/OS only) React Rerun (z/OS only) Restart Restore (Un-Delete) Set to OK View: Associated users can perform any of the following actions when they are selected: Documentation JCL/Script Job Settings Log Output Statistics Why You can apply one or more Including Filters and Excluding Filters to grant or remove role access to jobs based on the job attributes, operators, and values that you define, as follows: If <Job Attribute> <Operator> <Value> Including Filters with an Or Condition If Run As Contains Billing Or If Host/Host Groups Exactly Accounts-Agent This including filter grants the role access to jobs when they run on the Accounts-Agent or when their Run As name contains the string Billing.
Historical (Archived) Viewpoints	Determines one of the following historical (archived) viewpoints access levels: None: Disables associated user access to historical viewpoints. Full: Enables associated users to add, edit, and delete historical viewpoints.

Job Permissions

Determines the accessibility of the following actions and views:

Actions: Associated users can perform any of the following actions when they are selected:
- Bypass
- Confirm
- Delete
- Edit JCL/Script
- Edit Jobs Settings
  
  To enable this permission, the role must have Run As authorizations.
- Free
- Hold
- Kill
- (z/OS only) React
- Rerun
- (z/OS only) Restart
- Restore (Un-Delete)
- Set to OK
View: Associated users can perform any of the following actions when they are selected:
- Documentation
- JCL/Script
- Job Settings
- Log
- Output
- Statistics
- Why

You can apply one or more Including Filters and Excluding Filters to grant or remove role access to jobs based on the job attributes, operators, and values that you define, as follows:

If <Job Attribute> <Operator> <Value>

Including Filters with an Or Condition

If Run As Contains Billing

Or
If Host/Host Groups Exactly Accounts-Agent

This including filter grants the role access to jobs when they run on the Accounts-Agent or when their Run As name contains the string Billing.

Historical (Archived) Viewpoints

Determines one of the following historical (archived) viewpoints access levels:

None: Disables associated user access to historical viewpoints.
Full: Enables associated users to add, edit, and delete historical viewpoints.

ToolsLink copied to clipboard

The following table describes Tools authorizations that determine whether access is granted to Application Integrator, Calendars, Events, Global Events, Resource Pools, Lock Resources, Workload Policies, Site Standards, and User Views.

Authorization	Description
Application Integrator	Determines one of the following access levels for Application Integrator: None: Disables associated user access to open Application Integrator. Browse: Enables associated users to view existing job types and deploy jobs. Users cannot create new job types or modify existing job types. Update: Enables associated users to deploy, modify, and create new job types. Users cannot undeploy. Full: Enables associated users to perform all actions.
Calendars	Defines access levels for specific calendars, as follows: Control-M/Server: Defines the name of the Control-M/Server that processes the job. Calendar Name: Defines the name of the calendar that associated users can access. Access Level Browse: Enables associated users to view calendars. Update: Enables associated users to add and edit calendars. Full: Enables associated users to add, edit, and delete calendars.
Events	Defines access levels for specific events, with an access level for each event, as follows: Control-M/Server: Defines the name of the Control-M/Server that processes the job. Event Name: Defines the name of the event that associated users can access. Access Level Browse: Enables associated users to view the event. Update: Enables associated users to add and edit the event. Full: Enables the associated users to add, edit, and delete the event.
Folders	See Folders .
Global Events	Defines access levels for specific global events, with an access level for each global event, as follows: Prefix: Defines the name of the global event prefix that the user has access to. Access Level Browse: Enables associated users to view global events. Update: Enables associated users to add and edit global events. Full: Enables associated users to add, edit, and delete global events.
History Reports	Determines one of the following access levels to History Reports: None: Disables associated user access to History Reports. Full: Enables associated users to add, edit, and delete History Reports.
Lock Resources	Defines access levels for specific Lock Resources, with an access level for each Lock Resource, as follows: Control-M/Server: Defines the name of the Control-M/Server that processes the job. Name: Defines the name of the Lock Resource that associated users can access. Access Level Browse: Enables associated users to view the Lock Resource. Update: Enables associated users to add and edit the Lock Resource. Full: Enables the associated users to add, edit, and delete the Lock Resource.
Pool Variables (API only)	Defines access levels to Named Pool variables via Control-M Automation API commands, as follows: Control-M/Server: Defines the name of the Control-M/Server that processes the job. Variable Name: Defines the name of the Named Pool variable. Access Level Browse: Enables associated users to view the Named Pool variable. Update: Enables associated users to add and edit the Named Pool variable. Full: Enables associated users to add, edit, and delete the Named Pool variable.
Reports	Determines one of the following access levels to Reports: None: Disables associated user access to Reports. Full: Enables associated users to add, edit, and delete Reports.
Resource Pools	Defines access levels for specific Resource Pools, with an authorization level for each Resource Pool: Control-M/Server: Defines the name of the Control-M/Server that processes the job. Name: Defines the name of the Resource Pool that associated users can access. Access Level Browse: Enables associated users to view the Resource Pool. Update: Enables the associated users to add and edit the Resource Pool. Full: Enables the associated users to add, edit, and delete the Resource Pool.
Secrets	Defines access levels to specific Automation API Config secrets in the JSON, with an access level for each secret, as follows: Secret Name: Defines the name of the secret that associated users can access. Access Level Browse: Enables associated users to view the API secret. Update: Enables associated users to add and edit the API secret. Full: Enables the associated users to add, edit, and delete the API secret. After you update the role, you must regenerate an API token to use the updated authorizations, as described in Creating an API Token.
Site Standards	Defines access levels to specific Site Standards, with an access level for each Site Standard, as follows: Site Standard Name: Defines the name of the Site Standard that associated users can access. Access Level Browse: Enables associated users to view the Site Standard. Update: Enables associated users to add and edit the Site Standard. Full: Enables associated users to add, edit, and delete the Site Standard. Site Standard Policy Access Level: Determines one of the following access levels for a specific or pattern-matching Site Standard Policy name: Browse: Enables associated users to view the Site Standard Policy. Update: Enables associated users to add and edit the Site Standard Policy. Full: Enables associated users to add, edit, and delete the Site Standard Policy.
SLA Management Reports	Determines one of the following access levels to SLA Management Reports: None: Disables associated user access to SLA Management Reports. Full: Enables associated users to add, edit, and delete SLA Management Reports.
User Views	Defines access levels to specific user views, with an access level for each user view, as follows: User View Name: Defines the name of the user view that associated users can access. Access Level Browse: Enables associated users to view the user view. Update: Enables the associated users to add and edit the user view. Full: Enables the associated users to add, edit, and delete the user view.
Workload Policies	Defines access levels to specific Workload Policies, with an access level for each Workload Policy, as follows: Workload Policy Name: Defines the name of the Workload Policy that associated users can access. Access Level Browse: Enables associated users to view the Workload Policy. Update: Enables associated users to add and edit the Workload Policy. Full: Enables associated users to add, edit, and delete the Workload Policy.

ConfigurationLink copied to clipboard

The following table describes Configuration domain authorizations, which enable Administrators to delegate control to users and enable them to perform specific administrative tasks on Agents, plug-ins, connection profiles, and Run as User definitions. Users can create, configure, and monitor their resources, which eliminates dependencies on the Control-M Administrators. Control-M Administrators can restrict user access and control over their defined resources and hide other resources in the environment.

Authorization	Description
Admin Management	Defines access levels to the following Administrator management categories: Authorizations/Users & Roles: Enables associated users to access other user authorization settings in Control-M/EM, as follows: None: Disables associated user access to view other users. Browse : Enables associated users to view other users. Update: Enables associated users to add and edit other users. Full: Enables associated users to delete other users. Configuration: Enables associated users to access Control-M/EM, Control-M/Server, Agent, and Agentless Host components, and notification destinations, as follows: None: Disenables associated users to view components. Browse : Enables associated users to view components and notification destinations. Update: Enables associated users to add and edit components and view notification destinations. Full: Enables associated users to and delete components and manage notification destinations. Operation: Enables associated users to access authorized SSH known hosts, and enables users to start, stop, recycle, and ignore components, as follows: None: Disables associated user access to Operation actions. Update: Enables associated users to start, stop, recycle, and ignore components. Full: Enables associated users to start, stop, recycle, and ignore components. Security: Enables associated users to access SSH keys and Control-M/Server users and roles, and enables users to create, edit, copy, export, test, and delete plug-in connection profiles, as follows: None: Disables associated user access to Security. Browse : Enables associated users to view Control-M/Server users, roles, and connection profiles. Update: Enables associated users to add and edit Control-M/Server users, roles, and test connection profiles. Full: Enables associated users to do the following: Delete Control-M/Server users and roles. Add, edit, delete, and duplicate centralized connection profiles, and edit and delete local connection profiles. If the access levels defined in Configuration and Security are higher than those defined in Agents, Agentless Hosts, or Host Groups, Plug-ins, and, Connection Profiles, the definitions in Admin Management take precedence, and vice versa.
Agents, Agentless Hosts, and Host Groups	Defines access levels to specific Agents, Agentless Hosts, and Host Groups, as follows: Control-M/Server: Defines the name of the Control-M/Server that is connected to the selected Agents, Agentless Hosts, or Host Groups. Tag: Defines a logical name that is used to label specific Agents, Agentless Hosts, or Host Groups with a specific access level. You can only define one tag per Agent, Agentless Host, or Host Group. Users can define their own tags with the * (asterisk) wildcard if they have the correct permissions. If users are assigned the Agent tag with the value Fin, they can define their own tag names when they install Agents, such as FinDev or FinOps. Access Level* Browse: Enables associated users to view the Agents, Agentless Hosts, or Host Groups. Update: Enables associated users to install, recycle, ping, disable, and enable the Agents, Agentless Hosts, or Host Groups. Full: Enables associated users to edit and delete the Agents, Agentless Hosts, or Host Groups, in addition to the permissions granted in the Update access level.
Plug-ins	Defines access levels to specific plug-ins, with an authorization level for each plug-in, as follows: Control-M/Server: Defines the name of the Control-M/Servers that are connected to the selected Agents. Agent Tag: Determines which Agent tags associated users have access to. Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases. Access Level Browse: Enables associated users to view the plug-ins. Update: Enables associated users to view and edit the plug-ins. Full: Enables associated users to delete the plug-ins, in addition to the permissions granted in the Update access level.
Connection Profiles	Defines access levels to specific local and centralized connection profiles in the Configuration domain, with an access level for each connection profile, as follows: Control-M/Server: Defines the name of the Control-M/Servers that are connected to the selected Agents. To define access levels for centralized connection profiles, select All from the Control-M/Server drop-down list and type * in the Agent Tag field. Agent Tag: Determines which Agent tags associated users have access to. Name: Determines which connection profiles associated users have access to. Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases. Access Level Browse: Enables associated users to view the connection profiles. Update: Enables associated users to test the connection profiles. Full: Enables associated users to do the following: Create, delete, edit, and duplicate centralized connection profiles. Edit and delete local connection profiles.
Run as Definitions	Defines access levels to Run as User definition management, as follows: Server: Defines the name of the Control-M/Server that the user is authorized to create Run as Users in Run as Users, as described in Adding a Run as User. Access Level: Browse: Enables associated users to view Run as Users. Update: Enables associated users to create and edit Run as Users. Full: Enables associated users to create, edit, and delete Run as Users.

AlertsLink copied to clipboard

The following Alerts authorizations determine the type of access level granted to users associated with this role:

None: Disables associated user access to the Alerts tool.
Browse: Enables associated users to view alerts.
Update: Enables associated users to update alerts.
Full: Enables associated users to update alerts.