User and Role Authorizations

You can create new users and roles, which enable you to limit what a user is authorized to view or change. Users are granted permissions based on their associated role.

If Role_A is authorized to view and change Folder_A and Calendar_A, then all associated users that are assigned Role_A have the same type of access to those entities.

There are three predefined roles in Control-M, as follows:

  • Administrator: Enables full access to all functionality.

  • Team Leader: Enables partial access with the ability to manage permissions for each member of the team.

  • Viewer: Enables view access only.

To configure authentication for all Control-M users, BMC recommends that you perform these procedures, in the following order:

  1. Adding a Role
  2. Creating an Internal User
  3. Defining System Settings

You can create internal users in Control-M. However, BMC recommends that you configure a connection to an Identity Provider (IdP) . This enables you to authenticate multiple external users with one configuration, instead of creating individual internal users in Control-M. To connect Control-M to an IdP, see Defining System Settings. After an IdP is enabled, all users are authenticated via SAML 2.0. You can log in with SSO to Helix Control-M via the tenant URL.

If the IdP is down, users that are assigned to Administrator roles can still log in using an Emergency URL, which enables Emergency users access to Control-M. An Emergency user is any internal user that is associated with the Administrator role. BMC recommends that you bookmark or record the Emergency URL. If the IdP becomes unavailable, you will need this URL to log in to Control-M. To edit the list of existing Emergency users, you must disable the IdP configuration, as described in Updating Emergency Users. After it is disabled, users that are authenticated with the IdP cannot log in to Control-M. After you have updated the list of users and the IdP becomes available, re-enable IdP.

Before you delete a role, identify the Agent tagsClosed A logical name that is used to label specific Agents in a group that has a specific authorization level. that are associated with the role. After you delete the role, you must delete any Agent tokensClosed An authorization entity, required during Agent installation, which enables you to connect the Agent to your Helix Control-M backend. that are associated with the Agent tags that you identified.

Adding a Role

This procedure describes how to create a role, which limits the associated users to specific authorizations and access levels.

Begin

  1. From the icon, select Configuration.

    The Configuration domain opens.

  2. From the drop-down list, select Roles.

    The Roles tab appears.

  3. Click Add Role.

    The Add Role dialog box appears.

  4. In the Role Details tab in the Add Role dialog box, do the following:
    1. In the Role Name field, type a logical name for the role.

    2. (Optional) In the Description field, type a description for the role.

    3. Select the Automation API Access checkbox to grant this role access to Automation APIClosed A set of programmatic interfaces that provides developers and DevOps engineers access to the capabilities of Helix Control-M within the modern application release process..

    4. Do one of the following:

      • To associate users in a specific organizational group in IdP , from the Associated with Organizational Groups drop-down list, select or search for the organizational groups in your IdP that you want to associate with this role.

        If the list is empty, you must manually add the names of the IdP groups: type the name of the group and click Add. The IdP group names are case sensitive and must appear exactly as they are in the IdP .

      • To explicitly associate a specific IdP user, regardless of the organizational group, from the Associated with Organizational Users drop-down list, select or search for the organizational user in your IdP that you want to associate with this role.

        If the list is empty, you must manually add the IdP user: type the name of the user and click Add. The IdP and LDAP user names are case sensitive and must appear exactly as they are in the IdP .

  5. In the Access Control area, click on each tab to define the specific authorizations for this role, as described in Role Authorizations.

  6. Click Save.

Creating an Internal User

This procedure describes how to add an internal user in Control-M. User authorizations are determined by the roles that are associated with the user.

Begin

  1. From the icon, select Configuration.

    The Configuration domain opens.

  2. From the drop-down list, select Users.

    The Users tab appears.

  3. Click Add User.

    The Add User dialog box appears.

  4. In the Email field, type the email address of the new user.

    A confirmation email is sent to the new user, with a link to Helix Control-M and a temporary password for first-time use. The password expires in seven days. If the password expires, you must delete and recreate the existing user.

  5. In the Assigned Roles drop-list, select one or more existing roles to assign to this user.

    Roles determine what the user has access to throughout Control-M. To create a role, see Adding a Role.

  6. Click Add.

    The new user appears in the Users tab.

Updating Emergency Users

This procedure describes how to update Emergency users in the event that IdP becomes unavailable (breaking glass procedure). This enables you and other Emergency users to continue working in Control-M. You can update the list of Emergency users to enable or disable specific users access to Control-M.

Begin

  1. From the icon, select Configuration.

    The Configuration domain opens.

  2. From the drop-down list, select System Settings.

    The System Settings pane appears.

  3. From the Identity Provider (IdP) drop-down, clear the Enable SAML 2.0 checkbox.

  4. Click Save.

    You are now working in Emergency mode and all users authenticated via IdP cannot log in to Control-M. Emergency users can log in with the following URL:
    Emergency URL: <tenant_name>-emergency

  5. To add an Emergency user, assign the Admin role to the user, as described in Creating an Internal User.

  6. Send the Emergency URL to all Emergency users.
  7. After the IdP becomes available, check the Enable SAML 2.0 checkbox.

Role Authorizations

All users that are associated with a role inherit defined role authorizations. The following topics describe role authorizations that you can apply in the Add Role dialog box:

Planning

The following table describes Planning domain authorizations that determine whether access is granted to specific folders and jobs, Run as UsersClosed An OS account name that is used to execute jobs on the host., connection profilesClosed A profile that contains the connection parameters to a specific plug-in, including the hostname, port, username, and password., or Named Pool variablesClosed A type of variable that you create in one job and can reference in subsequent jobs with the same Pool parameter. A Named Pool is a logical grouping of variables..

Authorization

Description

Folders

Defines access levels for specific folders , as follows:

Folder Permissions

Job Permissions: Determines whether to enable authorizations on jobs in a specific folder, based on the Application and Sub-application criteria and according to the defined access level.

This authorization also determines whether associated users are granted access to the Folder Management tool.

Run As

Defines access to specific Run as UsersClosed An OS account name that is used to execute jobs on the host. or centralized connection profilesClosed A profile that contains the connection parameters to a specific plug-in, including the hostname, port, username, and password. in job definitionsClosed The set of parameters that defines what the job does, when it runs, its prerequisites, and the post-processing actions that Control-M performs after the job completes execution..

  • Control-M/Server: Defines the Control-M/Servers that associated users can use to run jobs.

  • Run as Name or Pattern: Defines the Run as Users or centralized connection profiles that associated users can use to run jobs. Wildcards are supported, as described in Pattern-Matching Strings.

    Single-host Control-M MFT connection profiles must be written to allow file transfers to and from the endpoint.

    • Run as User: Operations_*

    • MFT Connection Profile via Two Single Endpoints: CP_Accounts*+CP_Engineering*,CP_Engineering*+CP_Accounts*

      For more information, see Defining a File Transfer Job.

  • Agent or Host Group: Defines the name of the AgentClosed A Control-M component installed on a host (computer) that runs and monitors the jobs on the host. computer or host group where the job is submitted.

Monitoring

The following table describes Monitoring domain authorizations that determine whether access is granted to specific jobs, , and Historical (Archived) Viewpoints.

 

 

Job Permissions

Determines the accessibility of the following actions and views:

  • Actions: Associated users can perform any of the following actions when they are selected:

  • View: Associated users can perform any of the following actions when they are selected:

    • Documentation

    • JCL/Script

    • Job Settings

    • Log

    • Output

    • Statistics

    • Why

You can apply one or more Including Filters and Excluding Filters to grant or remove role access to jobs based on the job attributes, operators, and values that you define, as follows:

If <Job Attribute> <Operator> <Value>

Including Filters with an Or Condition

  • If Run As Contains Billing

    Or

  • If Host/Host Groups Exactly Accounts-Agent

This including filter grants the role access to jobs when they run on the Accounts-Agent or when their Run As name contains the string Billing.

Historical (Archived) Viewpoints

Determines one of the following Historical (Archived) Viewpoints access levels:

  • None: Disables associated user access to Historical Viewpoints.

  • Full: Enables associated users to add, edit, and delete Historical Viewpoints.

Tools

The following table describes Tools authorizations that determine whether access is granted to Application IntegratorClosed A Control-M component that enables you to create a third-party business application integration (plug-in), and create custom job types that perform specialized tasks in your environment., CalendarsClosed A reusable job schedule that you can apply to many jobs, which enables you to perform scheduling changes from a single location., EventsClosed An conditional entity that creates a sequential relationship between jobs by enabling the successor job to execute after the predecessor job has executed., Global Events, Resource PoolsClosed A type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access., Lock ResourcesClosed A type of prerequisite that controls the flow of the workflow, which represents a physical or logical device that folders, sub-folders, or jobs can exclusively access or share., Workload Policies, Site StandardsClosed A set of rules that are relevant to your organization, are applied on the folder level, and determine how users must define folders and jobs., and User ViewsClosed A customization of the Control-M interface, which enables users to view specific functionality only..

Authorization

Description

Application Integrator

Determines one of the following access levels for Application Integrator:

  • None: Disables associated user access to open Application Integrator.

  • Browse: Enables associated users to view existing job types. Users cannot deploy, modify, or create new job types.

  • Update: Enables associated users to deploy, modify, and create new job types. Users cannot undeploy.

  • Full: Enables associated users to perform all actions.

Calendars

Defines access levels for specific calendars, as follows:

  • Server: Defines the name of the Server that processes the job.

  • Calendar Name: Defines the name of the calendar that associated users can access.

  • Access Level

    • Browse: Enables associated users to view calendars.

    • Update: Enables associated users to add and edit calendars.

    • Full: Enables associated users to add, edit, and delete calendars.

Events

Defines access levels for specific events, with an access level for each event, as follows:

  • Server: Defines the name of the Server that processes the job.

  • Event Name: Defines the name of the event that associated users can access.

  • Access Level
    • Browse: Enables associated users to view the event.

    • Update: Enables associated users to add and edit the event.

    • Full: Enables the associated users to add, edit, and delete the event.

Folders

See Folders .

Global Events

Defines access levels for specific global events, with an access level for each global event, as follows:

  • Prefix: Defines the name of the global event prefix that the user has access to.

  • Access Level

    • Browse: Enables associated users to view global events.

    • Update: Enables associated users to add and edit global events.

    • Full: Enables associated users to add, edit, and delete global events.

History Reports

Determines one of the following access levels to History Reports:

  • None: Disables associated user access to History Reports.

  • Full: Enables associated users to add, edit, and delete History Reports.

Lock Resources

Defines access levels for specific Lock Resources, with an access level for each Lock Resource, as follows:

  • Server: Defines the name of the Server that processes the job.

  • Name: Defines the name of the Lock Resource that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the Lock Resource.

    • Update: Enables associated users to add and edit the Lock Resource.

    • Full: Enables the associated users to add, edit, and delete the Lock Resource.

Pool Variables (API only)

Defines access levels to Named Pool variables via Control-M Automation API commands, as follows:

  • Server: Defines the name of the Server that processes the job.

  • Variable Name: Defines the name of the Named Pool variable.

  • Access Level

    • Browse: Enables associated users to view the Named Pool variable.

    • Update: Enables associated users to add and edit the Named Pool variable.

    • Full: Enables associated users to add, edit, and delete the Named Pool variable.

Reports

Determines one of the following access levels to Reports:

  • None: Disables associated user access to Reports.

  • Full: Enables associated users to add, edit, and delete Reports.

Resource Pools

Defines access levels for specific Resource Pools, with an authorization level for each Resource Pool:

  • Server: Defines the name of the Server that processes the job.

  • Name: Defines the name of the Resource Pool that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the Resource Pool.

    • Update: Enables the associated users to add and edit the Resource Pool.

    • Full: Enables the associated users to add, edit, and delete the Resource Pool.

Secrets

Defines access levels to specific Automation API Config secrets in the JSON, with an access level for each secret, as follows:

  • Secret Name: Defines the name of the secret that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the API secret.

    • Update: Enables associated users to add and edit the API secret.

    • Full: Enables the associated users to add, edit, and delete the API secret.

After you update the role, you must regenerate an API token to use the updated authorizations, as described in Creating an API Token.

Site Standards

Defines access levels to specific Site Standards, with an access level for each Site Standard, as follows:

  • Site Standard Name: Defines the name of the Site Standard that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the Site Standard.

    • Update: Enables associated users to add and edit the Site Standard.

    • Full: Enables associated users to add, edit, and delete the Site Standard.

  • Site Standard Policy Access Level: Determines one of the following access levels for a specific or pattern-matching Site Standard Policy name:

    • Browse: Enables associated users to view the Site Standard Policy.
    • Update: Enables associated users to add and edit the Site Standard Policy.
    • Full: Enables associated users to add, edit, and delete the Site Standard Policy.

SLA Management Reports

Determines one of the following access levels to SLA Management Reports:

  • None: Disables associated user access to SLA Management Reports.

  • Full: Enables associated users to add, edit, and delete SLA Management Reports.

User Views

Defines access levels to specific user views, with an access level for each user view, as follows:

  • User View Name: Defines the name of the user view that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the user view.

    • Update: Enables the associated users to add and edit the user view.

    • Full: Enables the associated users to add, edit, and delete the user view.

Workload Policies

Defines access levels to specific Workload Policies, with an access level for each Workload Policy, as follows:

  • Workload Policy Name: Defines the name of the Workload Policy that associated users can access.

  • Access Level

    • Browse: Enables associated users to view the Workload Policy.

    • Update: Enables associated users to add and edit the Workload Policy.

    • Full: Enables associated users to add, edit, and delete the Workload Policy.

Configuration

The following table describes Configuration domain authorizations, which enable Administrators to delegate control to users and enable them to perform specific administrative tasks on Agents, plug-insClosed A Control-M component that extends functionality to third-party applications like Hadoop or SAP and can be integrated with other jobs in a single workflow., connection profilesClosed A profile that contains the connection parameters to a specific plug-in, including the hostname, port, username, and password., and Run as UserClosed An OS account name that is used to execute jobs on the host. definitions. Users can create, configure, and monitor their resources, which eliminates dependencies on the Control-M Administrators. Control-M Administrators can restrict user access and control over their defined resources and hide other resources in the environment.

Authorization

Description

Admin Management

Defines access levels to the following Administrator management categories:

  • Authorizations/Users & Roles: Enables associated users to access other user authorization settings in Control-M/EM, as follows:

    • None: Disables associated user access to view other users.

    • Browse : Enables associated users to view other users.

    • Update: Enables associated users to add and edit other users.

    • Full: Enables associated users to delete other users.

  • Configuration: Enables associated users to access Control-M/EM, Control-M/Server, Agent, and Agentless Host components, and notification destinations, as follows:

    • None: Disenables associated users to view components.

    • Browse : Enables associated users to view components and notification destinations.

    • Update: Enables associated users to add and edit components and view notification destinations.

    • Full: Enables associated users to and delete components and manage notification destinations.

  • Operation: Enables associated users to access authorized SSH known hosts, and enables users to start, stop, recycle, and ignore components, as follows:

    • None: Disables associated user access to Operation actions.

    • Update: Enables associated users to start, stop, recycle, and ignore components.

    • Full: Enables associated users to start, stop, recycle, and ignore components.

  • Security: Enables associated users to access SSH keys and Server users and roles, and enables users to create, edit, copy, export, test, and delete plug-in connection profiles, as follows:

    • None: Disables associated user access to Security.

    • Browse : Enables associated users to view Server users, roles, and connection profiles.

    • Update: Enables associated users to add and edit Server users, roles, and test connection profiles.

    • Full: Enables associated users to do the following:

      • Delete Server users and roles.

      • Add, edit, delete, and duplicate centralized connection profiles, and edit and delete local connection profiles.

  • If the access levels defined in Configuration and Security are higher than those defined in Agents, Agentless Hosts, or Host Groups, Plug-ins, and, Connection Profiles, the definitions in Admin Management take precedence, and vice versa.

Agents, Agentless Hosts, and Host Groups

Defines access levels to specific Agents, Agentless Hosts, and Host Groups, as follows:

  • Server: Defines the name of the Server that is connected to the selected Agents, Agentless Hosts, or Host Groups.

  • Tag: Defines a logical name that is used to label specific Agents, Agentless Hosts, or Host Groups with a specific access level. You can only define one tag per Agent, Agentless Host, or Host Group. Users can define their own tags with the * (asterisk) wildcard if they have the correct permissions.

    If users are assigned the Agent tag with the value Fin*, they can define their own tag names when they install Agents, such as FinDev or FinOps.

  • Access Level

    • Browse: Enables associated users to view the Agents, Agentless Hosts, or Host Groups.

    • Update: Enables associated users to install, recycle, ping, disable, and enable the Agents, Agentless Hosts, or Host Groups.

    • Full: Enables associated users to edit and delete the Agents, Agentless Hosts, or Host Groups, in addition to the permissions granted in the Update access level.

Plug-ins

Defines access levels to specific plug-ins, with an authorization level for each plug-in, as follows:

  • Server: Defines the name of the Servers that are connected to the selected Agents.

  • Agent Tag: Determines which Agent tagsClosed A logical name that is used to label specific Agents in a group that has a specific authorization level. associated users have access to.

  • Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases.

  • Access Level

    • Browse: Enables associated users to view the plug-ins.

    • Update: Enables associated users to view and edit the plug-ins.

    • Full: Enables associated users to delete the plug-ins, in addition to the permissions granted in the Update access level.

Connection Profiles

Defines access levels to specific local and centralized connection profiles in the Configuration domain, with an access level for each connection profile, as follows:

  • Server: Defines the name of the Servers that are connected to the selected Agents.

    To define access levels for centralized connection profiles, select All from the Control-M/Server drop-down list and type * in the Agent Tag field.

  • Agent Tag: Determines which Agent tagsClosed A logical name that is used to label specific Agents in a group that has a specific authorization level. associated users have access to.

  • Name: Determines which connection profiles associated users have access to.

  • Plug-in Type: Determines which plug-ins associated users have access to, such as Control-M MFT or Control-M for Databases.

  • Access Level

    • Browse: Enables associated users to view the connection profiles.

    • Update: Enables associated users to test the connection profiles.

    • Full: Enables associated users to do the following:

      • Create, delete, edit, and duplicate centralized connection profiles.

      • Edit and delete local connection profiles.

Run as Definitions

Defines access levels to Run as User definition management, as follows:

  • Server: Defines the name of the Server that the user is authorized to create Run as Users in Run as Users, as described in Adding a Run as User.

  • Access Level:

    • Browse: Enables associated users to view Run as Users.

    • Update: Enables associated users to create and edit Run as Users.

    • Full: Enables associated users to create, edit, and delete Run as Users.

Alerts

The following Alerts authorizations determine the type of access level granted to users associated with this role:

  • None: Disables associated user access to the Alerts tool.

  • Browse: Enables associated users to view alerts.

  • Update: Enables associated users to update alerts.

  • Full: Enables associated users to update alerts.