User and Role Authorizations

In Control-M you can create users and roles, which enables you to limit the entities that a user is authorized to view or change. Users are granted permissions based on their associated role.

If Role A has authorizations to FolderClosedA container of jobs and sub-folders that passes its definitions to the included jobs and sub-folders A and Calendar A, then all associated users to Role A have access to those entities.

There are three pre-defined roles that are included in Control-M.

  • Administrator: Enables Full access to all functionality

  • Team leader:Enables partial access with the ability to manage permissions for each member of the team

  • Viewer: Enables view access

To configure authentication for all Control-M users, BMC recommends to perform these procedures in the following order:

  1. Adding a Role
  2. Adding an Internal User
  3. Creating an Administrator user
  4. Configuring Authentication with an IdP

You can create internal users in Control-M. However, BMC recommends that you configure a connection to an Identity Provider (IdP). This enables you to authenticate multiple external users with one configuration instead of creating individual internal users in Control-M. To connect Control-M to an IdP, see Configuring Authentication with an IdP. After IdP is enabled, all users are authenticated via SAML 2.0.

The following video describes Control-M Authorizations:

Adding a Role

This procedure describes how to create a role, which limits the associated user to specific authorizations and access levels.

Begin

  1. From the Configuration domain, click and then select Roles.

  2. Click Add Role.

    The Add Role pane appears.

  3. In the General tab, do the following:
    1. In the Role Name field, type a logical name for the role.

    2. In the Description field, type a description for the role.

    3. Do one of the following:

      • If you want to associate users in a specific organizational group in IdP or LDAP, select Organizational Groups Only, and from the Set Organizational Groups drop-down list, select or search for the organizational groups from your IdP or LDAP that you want to associate to this role.

        If the list is empty, you need to manually add the names of the IdP or LDAP groups by typing the name of the group and then click Add. The IdP or LDAP group names are case sensitive and must appear exactly as they are in the IdP or LDAP.

      • If you want to explicitly associate a specific IdP or LDAP user directly in Control-M, regardless of the organizational group, select Organizational Users Only and from the Set Organizational Users drop-down list, search for the organizational user from your IdP or LDAP that you want to associate to this role.

        If the list is empty, you need to manually add the names of the IdP or LDAP user by typing the name of the user and then click Add. The IdP and LDAP user names are case sensitive and must appear exactly as they are in the IdP or LDAP.

    4. From the Interface access drop-down list, select one or more of the following applications that you want to grant access to this role:

      • Automation API

      • Control-M client, Utilities, EM API

      • Control-M Configuration Manager

      • Control-M Web

  4. In the Access control tab, toggle on one or more of the following that you want to apply specific authorizations to this role, as described in Role Authorizations.

  5. Click Add.

Adding an Internal User

This procedure describes how to add a user in Control-M. User authorizations are determined by the roles that are associated to the user.

Begin

  1. From the Configuration domain, click and then select Users.

  2. In the User name field, type the user that you want to add to Control-M.

  3. In the Full Name and Description fields, type the name of the user and a description (optional).

  4. In the Assigned roles drop-list, select one or more of the existing roles to assign to this user.

    The role determines which authorizations the user has access to for all Control-M entities. To create a role, see Adding a Role.

  5. Do one of the following:

    • To authenticate the user via LDAP, toggle on Enable external authentication only and define the LDAP user and Domain field by typing the domain name that hosts the LDAP servers that authenticates the Control-M/EM users in the following format:

      CN[OU]@DC

      where CN=user, OU=org_unit, DC=domain

    • To authenticate the user via a password, do the following:

      1. In the Password field, define a user password

      2. In the Password expiration field, select one of following options:

        • Never expires

        • Custom: Determines the number of days before the password expires.

      3. If you want to prevent this user from logging into Control-M, toggle on Lock account.

  6. Click Add.

    The new user appears in the Users list.

Creating an Administrator user

This procedure describes how to create a Control-M/EM administrator user when the external authentication server is not available. If LDAP or Active Directory can not be connected and an emergency user is not defined, the new administrator can log in and have the authorizations and privileges of a default administrator user.

Begin

  1. Log in to the Control-M/EM server account and run the following script:

    create_admin_account

  2. In the Control-M/EM DBO name field, type the Control-M/EM database name (maximum length is 30 characters).

  3. In the Control-M/EM DBO passwordfield, type the Control-M/EM password.

    If verification of the Control-M/EM DBO password fails, an error message appears and the script is aborted.

  4. In the Control-M/EM administrator Name field, type the name of the new user.

  5. In the Control-M/EM administrator Password field, type the new user password.

  6. In the Control-M/EM administrator Password verification field, type the same password again.

    The administrator user is created.

Role Authorizations

The following table describes authorizations that you can apply to a role. All associated users to this role inherit the selected authorizations.

Authorization Description
Planning Determines whether to allow access to specific folders and jobs, Run as usersClosedAn OS account name that is used to execute the job on the host, Service Definitions, and Promote Action.
Folders and jobs

Grants access to specific folders and jobs with an authorization level for each folder, as follows:

  • Server: Defines the name of the Control-M/Server(s) that processes the job.

  • Library: Defines the name of the library that contains the job's folder (z/OS only).

  • Folder Name: Defines the name of the folder that associated users can access

    You can define the folder name with a regular expression.

  • Browse: Enables the associated users to view folders

  • Update: Enables the associated users to add and edit folders

  • Full: Enables the associated users to add, edit, and delete folders

  • Run: Determines whether associated users can runClosedA Control-M process that adds your job to the Run Queue of the day, according to automatic or manual scheduling, and which enables the job to execute, depending on prerequisites specific folders. This option is independent of the access levels. You can enable associated users to run folders on all access levels.

  • Job Permissions: Determines whether to enable authorizations on jobs in a specific folder based on Application and Sub Application criteria according to a defined Access Level.

Run as

Enables associated users to use the listed run as users or pattern in job definitionsClosedThe set of parameters that defines what the job does, when it must run, its prerequisites to run, and post-processing actions for Control-M to perform after its completion (also called a job processing definition).

Service Definitions

Grants associated users access to the Service Definition manager, as follows:

  • Service name or pattern: Defines the name of the service that associated users can access
  • Browse: Enables the associated users to view service definitions
  • Update: Enables the associated users to add and edit service definitions

  • Full: Enables the associated users to add, edit, and delete service definitions

Promote Action

Grants associated users to set the following authorization levels for a promotion action:

  • None: Disables the associated users to promote

  • Update: Enables the associated users to create a promotion request but the promote and check-in promotion option is disabled

  • Full: Enables the associated users to create a promotion request, use promote, and check-in

Monitoring Determines whether to allow access to specific jobs and servicesClosedA set of workflows that serves a business purpose, and can be monitored as a single unit, Periodical Statistics, Forecast/SLA Management, Archived Viewpoints, and Viewpoint Management.
Job permissions

Determines which of the following entities associated users can view on all jobs or on specific jobs with a filter:

  • Documentation

  • JCL/Script

  • Job settings

  • Log

  • Output

  • Statistics

  • Why

Determines which of the following actions associated users can perform on all jobs or on specific jobs with a filter:

To add a filter, which includes or excludes jobs, click Add a filter and then apply the required If statement. If you want to add another group of fields which, when met, can include more fields, even if the other group of fields do not meet the conditions, click Add Condition and then select Add And Condition or Add Or Condition.

Service permissions

Grants associated users or groups of users access to view services, perform job actions, run, hold, and release services, as follows:

  • Service Name or Pattern: Defines the name of the service that associated users can access
  • Drill-Down to View Jobs: Enables the associated users to view jobs inside a service.
  • Run Orderable Services: Enables the associated user to run a service.
  • Hold: Enables the user to hold a service, which stops the service from running.
  • Resume: Enables the associated user to release a service, which frees it from being held and is available to run again.
  • View Orderable Services: Enables the associated user to view services that are run by other users

Periodical Statistics

Grants associated users access to Periodical Statistics, as follows:

  • None: Disables the associated users to view Periodical Statistics

  • Browse : Enables the associated users to view Periodical Statistics

  • Full: Enables the associated users to add, edit, and delete Periodical Statistics

Forecast/SLA Management

Grants associated users access to Forecast/SLA Management reports, as follows:

  • None: Disables the associated users to view Forecast/SLA Management reports

  • Browse : Enables the associated users to view Forecast/SLA Management reports

  • Update: Enables the associated users to add and edit Forecast/SLA Management reports

  • Full: Enables the associated users to delete Forecast/SLA Management reports

Archived Viewpoints

Grants associated users access to Archived Viewpoints, as follows:

  • None: Disables access to Archived Viewpoints

  • Full: Enables associated users to add, edit, and delete Archived Viewpoints

Viewpoint Management

Grants associated users access to Collections, Filters, Hierarchies, and Viewpoint with an access for each, as follows:

  • None: Disables the associated users to view

  • Browse : Enables the associated users to view

  • Update: Enables the associated users to add and edit

  • Full: Enables the associated users to delete

Tools Determines whether to allow access to Application IntegratorClosedA Control-M component that enables you to create an integration with a third-party business application, and then create custom job types that perform specialized tasks on your application, CalendarsClosedA reusable job schedule that you can apply to many jobs, which enables you to perform schedule changes from a single location, CLI Utility,EventsClosedAn entity that creates a sequence relationship between jobs by enabling the successor job to execute after the predecessor job has executed, Global Events,Resource PoolsClosedA type of quantifiable resource, which represents the total amount of resources from a physical or logical device that a job can access, Lock ResourcesClosedA type of resource that controls the flow of the workflow, which represents a physical or logical device that a folder, sub-folder, or job can access exclusively or share, Workload Policies,Site StandardsClosedA set of rules that are relevant to your organization and applied on the folder level, and that determines how users must define folders and jobs, and User ViewsClosedA customization of the Control-M interface, which enables users to view specific functionality only.
Application Integrator

Grants associated users access to Application Integrator, as follows:

  • None: Disables the associated users to open Application Integrator.

  • Browse: Enables the associated users to view existing job types. Users cannot deploy, modify, or create new job types.

  • Update: Enables the associated users to deploy, modify, and create new job types. Users cannot undeploy.
  • Full: Enables the associated users to perform all actions.
Calendars

Grants access to specific calendars with an authorization level for each calendar, as follows:

  • Server: Defines the name of the Control-M/Server(s) that processes the job.

  • Calendar Name: Defines the name of the calendar that associated users can access

  • Browse: Enables the associated users to view calendars

  • Update: Enables the associated users to add and edit calendars
  • Full: Enables the associated users to add, edit, and delete calendars

CLI Utility

Grants access to the CLIutility for folders, jobs, and calendar management, as follows:

  • None: Disables access to the CLIutility

  • Full: Enables associated users to add, edit, and delete in the CLIutility

Events

Grants access to specific events with an authorization level for each event, as follows:

  • Server: Defines the name of the Control-M/Server(s) that processes the job.

  • Event Name: Defines the name of the event that associated users can access
  • Browse: Enables the associated users to view event

  • Update: Enables the associated users to add and edit event
  • Full: Enables the associated users to add, edit, and delete event

Global Events

Grants access to specific global events with an authorization level for each global event, as follows:

  • Prefix: Defines the name of the global event prefix that the user has access
  • Browse: Enables the associated users to view global events

  • Update: Enables the associated users to add and edit global events
  • Full: Enables the associated users to add, edit, and delete global events
Lock Resources

Grants access to specific Lock Resources with an authorization level for each Lock Resource, as follows:

  • Server: Defines the name of the Control-M/Server(s) that processes the job.

  • Name: Defines the name of the Lock Resource that associated users can access
  • Browse: Enables the associated users to view Lock Resources

  • Update: Enables the associated users to add and edit Lock Resources
  • Full: Enables the associated users to add, edit, and delete Lock Resources
Pool Variables (API only)

Grants associated users access to named pool variables using API commands, as follows:

  • Server: Defines the name of the Control-M/Server(s) that processes the job.

  • Variable Name: Defines the name of the named pool variable
  • Browse: Enables the associated users to view named pool variables
  • Update: Enables the associated users to add and edit named pool variables
  • Full: Enables the associated users to add, edit, and delete named pool variables

Reports

Grants access to Reports, as follows:

  • None: Disables access to Reports
  • Full: Enables the associated users to add, edit, and delete Reports

Resource Pools

Grants access to specific Resource Pools with an authorization level for each Resource Pool, as follows:

  • Server: Defines the name of the Control-M/Server(s) that processes the job.

  • Name: Defines the name of the Resource Pool that associated users can access

  • Browse: Enables the associated users to view Resource Pools

  • Update: Enables the associated users to add and edit Resource Pools

  • Full: Enables the associated users to add, edit, and delete Resource Pools

Secrets

Grants access to specific Automation API Config secrets in the JSON with an authorization level for each secret, as follows:

  • Secret Name: Defines the name of the secret that associated users can access

  • Browse: Enables the associated users to view API secrets

  • Update: Enables the associated users to add and edit API secrets

  • Full: Enables the associated users to add, edit, and delete API secrets

After you update the role, you must regenerate an API token to use the updated authorizations, as described in Creating an API Token.

Site Standards

Grants access to specific Site Standards with an authorization level for each Site Standard, as follows:

  • Site Standard Name: Defines the name of the Site Standards that associated users can access
  • Browse: Enables the associated users to view Site Standards

  • Update: Enables the associated users to add and edit Site Standards
  • Full: Enables the associated users to add, edit, and delete Site Standards
  • Site Standard Policy Access Level: Grants access to specific Site Standard policies with an authorization level for each Site Standard policy, as follows:

    • Browse: Enables the associated users to view Site Standard policies
    • Update: Enables the associated users to add and edit Site Standard policies
    • Full: Enables the associated users to add, edit, and delete Site Standard policies
User Views

Grants access to specific user views with an authorization level for each user view, as follows:

  • User View Name: Defines the name of the user view that associated users can access
  • Browse: Enables the associated users to view User Views

  • Update: Enables the associated users to add and edit User Views
  • Full: Enables the associated users to add, edit, and delete User Views

Workload Policies

Grants access to specific Workload Policies with an authorization level for each Workload Policy, as follows:

  • Workload Policy Name: Defines the name of the workload policy that associated users can access
  • Browse: Enables the associated users to view Workload Policies

  • Update: Enables the associated users to add and edit Workload Policies
  • Full: Enables the associated users to add, edit, and delete Workload Policies
Configuration

Enables the Administrator to delegate control to users to carry out specific administrative tasks on Agents, plug-insClosedA Control-M component that extends functionality to third-party applications like Hadoop or SAP and integrates plug-in jobs with other jobs into a single workflow, and connection profilesClosedA profile that contains the connection parameters to a specific application, such as hostname, port, username, and password. Users can create, configure, and monitor their resources, which eliminates the dependencies on the Control-M Administrator. The Control-M Administrator can restrict access and control to the users to their defined resources, without exposing other resources in the environment.

Agents

Grants access to specific Agents as follows:

  • Server: Defines the name of the Control-M/Server(s) that is connected to the selected Control-M/Agents.

  • Agent/Host Group Tag: Defines a logical name that is used to label specific Agents into a group with a specific authorization level. You can only define one tag per Agent. Users can define their own tags with the asterisk character if they have the correct permissions. For example, if users have been assigned the Agent tag with the value Fin*, they can define their own tag names when they install Agents, such as FinDev or FinOps.

  • Browse: Enables the associated users to view Agents

  • Update: Enables the associated users to add, recycle, ping, disable, and enable Agents
  • Full: Enables the associated users to edit and delete Agents in addition to the permissions in the Update access level
Plug-ins

Grants access to specific plug-ins with an authorization level for each plug-in, as follows:

  • Server: Defines the name of the Control-M/Server(s) that is connected to the selected Control-M/Agents.

  • Agent Tag: Determines which Agent tags the associated users have access to

  • Plug-in Type: Determines which plug-ins associated users have access to, such as AWS or Database.

  • Browse: Enables the associated users to view plug-ins
  • Update: Enables the associated users to view and edit plug-ins
  • Full: Enables the associated users to delete plug-ins in addition to the permissions in the Update access level
Connection Profiles

Grants access to specific connection profiles with an authorization level for each connection profile, as follows:

  • Server: Defines the name of the Control-M/Server(s) that is connected to the selected Control-M/Agents.

  • Name: Determines which connection profiles associated users have access to

  • Plug-in Type: Determines which plug-ins associated users have access to, such as AWS or Database.

  • Browse: Enables the associated users to view connection profiles
  • Update: Enables the associated users to view and edit connection profiles
  • Full: Enables the associated users to delete Plug-ins in addition to the permissions in the Update access level
Run as Definition

Grants associated users access to manage Run as User definitions, as follows:

  • Server: Lists the name of the Control-M/Server that the user has authorizations to create Run as users in the Run as Users, as described in Adding a Run as User .

  • None: Disables access to Run as Definition
  • Browse: Enables the associated users to view Run as Users

  • Update: Enables the associated users to create and edit existing Run as Users

  • Full: Enables the associated users to create, edit, and delete Run as Users

Admin Management

Grants associated users access to the following categories, as follows:

  • Authorizations/Users & Roles: Grants associated users to apply authorizations on other users in Control-M/EM, as follows:

    • None: Disables the associated users to view other users

    • Browse : Enables the associated users to view other users

    • Update: Enables the associated users to add and edit other users

    • Full: Enables the associated users to delete other users

  • Configuration: Grants associated users access to Control-M/EM, Control-M/Server, and Control-M/Agent components, as follows:

    • None: Disables the associated users to view components

    • Browse : Enables the associated users to view components

    • Update: Enables the associated users to add and edit components

    • Full: Enables the associated users to delete components

  • Database Maintenance: Grants associated users access check database space and extend the database size, as follows:

    • None: Disables the associated users access to Database Maintenance

    • Browse : Enables the associated users to check database space

    • Full: Enables the associated users to extend database size

  • Operation: Grants associated users access to start, stop, recycle, and ignore components, as follows:

    • None: Disables the associated users access to Operation actions

    • Update: Enables the associated users to start, stop, recycle, and ignore components

    • Full: Enables the associated users to start, stop, recycle, and ignore components

  • Promotion Rules: Grants associated users access to define Promotion Rules

    • None: Disables the associated users access to Promotion Rules

    • Full: Enables the associated users to define Promotion Rules

  • Security: Grants associated users access to Control-M/Server user and roles, as well create, edit, copy, export, test, and delete connection profiles fora plug-in, as follows:

    • None: Disables the associated users access to Security

    • Browse : Enables the associated users to view Control-M/Server user and roles and connection profiles

    • Update: Enables the associated users to add and edit Control-M/Server user and roles and connection profiles

    • Full: Enables the associated users to delete Control-M/Server user and roles and connection profiles

Alerts

Determines whether to allow access to alertsClosedA notification about the status of a job or a component that appears in the Alerts window and with one of the following access levels:

  • Browse: Enables the associated users to view alerts
  • Update: Enables the associated users to update alerts
  • Full: Enables the associated users to update alerts

Workflow Insights

Determines whether to allow access to the Workflow Insights domain