|
|
|
|
|
In Control-M you can create, edit, copy, and delete Control-M/EM users and groups, which enables you to limit the entities that a user is authorized to view or change. For example, a user can be limited to modifying resources and jobs that relate to a specific Control-M/Server installation.
Users are granted permissions based on their associated group. You can add additional authorizations, which supersede the authorizations defined for that user in the group.
EXAMPLE: User JimA belongs to group Acct. Group Acct has Browse authority for all folders. JimA has Update authority for Control-M Figaro and Marius folders. In addition, JimA has Update authority for jobs on Control-M Figaro and Marius where Bob is the Run as user and the NodeID or Group is Finance. JimA can update folders for Figaro and Marius that have jobs whose Run as user is Bob and Node ID or Group field is Finance, but can only view folders for other Control-M installations.
Usernames are authenticated in Control-M/EM according to the AuthenticationMethod system parameter and the DirectoryServiceAuth system parameter settings. These parameters determine whether Control-M/EM uses internal or external authentication. If the DirectoryServiceAuth system parameter is set to On, the AuthenticationMethod system parameter is ignored. The login procedure must authenticate the identifiers of the user against external LDAP directories. Users who are not defined in the Control-M/EM must belong to groups in the LDAP directory. These groups must be associated with Control-M/EM authorization groups, as described in LDAP Groups authorization. For more information about these parameters and other LDAP parameters, see Control-M/EM general parameters.
Many operations require authorizations in both Control-M/EM and Control-M/Server. For example, to hold a job, the user must be authorized in Control-M/EM to access that job and authorized in Control-M/Server to hold jobs for the job run as user. For more information, see Control-M/Server security.
The following procedures describe how to define, edit, copy, and delete Control-M/EM users and groups in the CCM:
For a list of available authorizations for Control-M/EM users and groups, see Control-M/EM user and group authorizations.