User data for authorization configuration


This page provides information for creating user data files, that is, payload JSON files that you can submit when you configure user authorizations.

The following code sample shows the available objects that you can include within such a file. The rest of this page provides details about each of these objects and their properties.

{    
"Name": "emuser1",    
"FullName": "John Doe",    
"Description": "Control-M/EM user number 1",    
"Authentication": {
"ExternalProvider": {    
"LdapUserAndDomain": "user1@prod"
},
"ControlM": {      
"Password": "keySecret",      
"PasswordExpirationDays": 60,      
"ChangePasswordAtNextLogin": true,      
"LockAccount": true
}    
},
"Roles": ["AdminGroup", "UpdateGroup"],
"Authorization":
{
"AllowedJobs": {
"Included": [
[["FileName", "like", "a*"], ["JobType", "eq", "Job,Command"]],
[["FileName", "like", "b*"], ["JobType", "eq", "Job,Command"]]
],
"Excluded": [
[["FileName", "like", "c*"], ["JobType", "eq", "Job,Command"]],
[["FileName", "like", "d*"], ["JobType", "eq", "Job,Command"]]
]
},
"AllowedJobActions": {
"ViewProperties": true,
"Documentation": true,
"Log": true,
"Statistics": true
},
"Privileges": {
"ClientAccess":{
"SelfServiceAccess": "Full",
"WorkloadChangeManagerAccess": "Full",
"UtilitiesAccess": "Full",
"ApplicationIntegratorAccess": "Full"
},
"ViewpointManager": {
"Collections": "Update",
"Hierarchies": "Update",
"Filters": "Update",
"Viewpoints": "Update"
}
},
"Folders": [{
"Privilege": "Full",
"ControlmServer": "Order&Job",
"Library": "bbb*",
"Folder": "ccc*",
"Order": true
}],
"Calendars": [{
"Privilege": "Update",
"Name": "aaa*",
"ControlmServer": "ctm2"
}],
"RunasUsers": [{
"ControlmServer": "aaa*",
"RunasUser": "bbb",
"Host": "bbb*"
}],
"WorkloadPolicies": [{
"Privilege": "Update",
"Name": "d*"
}],
"SiteStandard": [{
"Privilege": "Update",
"Name": "g*"
}],
"SiteCustomization": [{
"Privilege": "Update",
"Name": "ca*"
}],
"Services": [{
"Privilege": "Full",
"Name": "*",
"AllowedActions":
{"DrillDown": true,
"Run": true,
"Hold": true,
"Resume": true,
"ViewOrderableService": true}
}],
"Events": [{
"Privilege": "Full",
"ControlmServer": "aaa*",
"Name": "*"
}],
"Mutexes": [{
"Privilege": "Full",
"ControlmServer": "aaa*",
"Name": "*"
}],
"Semaphores": [{
"Privilege": "Full",
"ControlmServer": "aaa*",
"Name": "*"
}],
"GlobalEvents": [{
"Privilege": "Update",
"Name": "aaa"
}]
}
}

General user settings

The user file contains the following general properties for the user that you are defining:

Property

Description

Name

A unique name for the user account (required property)

FullName

The full name of the user (optional)

Description

An optional textual description of the user

For example:

"Name": "emuser1",    
"FullName": "John Doe",    
"Description": "Control-M/EM user number 1",

Authentication definitions

The Authentication object defines the credentials and other logon settings for the user's connection with Control-M. You can define an external LDAP connection and/or a Control-M logon.

"Authentication": {
"ExternalProvider": {    
"LdapUserAndDomain": "user1@prod"
},
"ControlM": {      
"Password": "keySecret",      
"PasswordExpirationDays": 60,      
"ChangePasswordAtNextLogin": true,      
"LockAccount": true
}    
}

The following table describes the objects and properties under the Authentication object:

Object or Property

Description

ExternalProvider

An external connection:

    LdapUserAndDomain

The LDAP user and domain for the external connection

ControlM

Internal Control-M logon details:

    Password

A password for the user, either plain text or a predefined secret

    PasswordExpirationDays

(Optional) Number of days until the password expires

The default is 0, that is, no expiration.

    ChangePasswordAtNextLogin

Use this setting to force the user to change his/her password at next login.

Values: true | false

Default: false

    LockAccount

Use this setting to temporarily lock a user account, disabling the user from performing actions in Control-M.

Values: true | false

Default: false

Role associations

The Roles object enables you to assign roles (one or more) to the user.

For example:

    "Roles": ["AdminGroup", "UpdateGroup"],

Authorization definitions

The Authorization object enables you to manage the user's authorizations to access various Control-M entities, objects, and actions. All next-level objects (under the Authorization object) can also be defined at the role level (as described in Role-data-for-authorization-configuration), to be inherited by all users associated with the role. Therefore, any entries that you include under the Authorization object are optional, and they serve the following purposes:

  • To add authorizations to the individual user, beyond those inherited from the role.
  • To override role-level authorizations — this is the case for entries under the Privilegesobject.

AllowedJobs

Grants the user browse access to the output of jobs that you specify using include/exclude filters.

    "AllowedJobs": {
       "Included": [
           [["FileName", "like", "a*"], ["JobType", "eq", "Job,Command"]],
           [["FileName", "like", "b*"], ["JobType", "eq", "job,command"}],
        ]
       "Excluded": [
           [["FileName", "like", "c*"], ["JobType", "eq", "Job,Command"]],
           [["FileName", "like", "d*"], ["JobType", "eq", "Job,Command"}],
        ]
    }

Under the AllowedJobs object, you define job authorizations:

  • The Included object lists filters for jobs that the user is authorized to access.
  • The Excluded object lists filters for jobs that the user is NOT authorized to access.

In each of these lists, you can include one or more filters. An implied OR logical operator connects between the various filters.

Each filter can include multiple conditions, with an implied AND logical operator connecting between the conditions. A condition is a pattern-matching expression that detects jobs according to a specific job property. A condition has the following format:

["jobProperty", "operator", "value"]

The following table provides guidelines for specifying the various elements within the filter condition:

Job property

Operator

Value

The following properties are available:

  • Application
  • ApplicationType
  • Command
  • ControlmServer
  • Critical
  • Cyclic
  • Description
  • EmbeddedScript
  • FileName
  • FilePath
  • Folder
  • Host
  • Jobname
  • JobType
  • NjeNode
  • OrderDate
  • Rba
  • Runas
  • SubApplication

Choose one of the following:

  • eq (equals)
  • ne (does not equal)
  • ge (greater than or equals)
  • le (less than or equals)
  • like

Specify a value appropriate for the property:

  • For most properties, provide any string.
    For multiple values, you can use commas (,).
    If using the like operator, you can also use wildcards (* or ?).
  • The following properties call for a Boolean value, either true or false. The default is false.
    • Critical
    • Cyclic
    • EmbeddedScript
  • For the JobType property, specify one or more of the following values:
    • Job
    • Task
    • SmartFolder
    • Detached
    • Command
    • Dummy

AllowedJobActions

Authorizes the user to perform specific actions (browse actions, control actions, or update actions) on the jobs filtered through the AllowedJobs object and the folders specified through the Folders object.

    "AllowedJobActions": {
       "ViewProperties": true,
        "SetToOk": true,
       "Documentation": true,
       "Confirm": true,
        "Log": true
    }

Under the AllowedJobsActions object, you define which job actions the user is authorized to perform. Each action is set to either true (allowed) or false (not allowed). The default is false.

The following table lists all available job actions. For your convenience, the actions in this table are divided into three categories — Browse actions, Control actions, and Update actions.

Browse actions

Control actions

Update actions

  • Documentation
  • Log
  • ViewProperties
  • Statistics
  • ViewJcl
  • ViewOutputList
  • Why
  • Bypass
  • Confirm
  • Free
  • Hold
  • Kill
  • React
  • Rerun
  • Restart
  • Delete
  • EditJcl
  • EditProperties
  • SetToOk
  • Undelete

Privileges

Grants the user access to various Control-M components, utilities, and tools, and authorizes the user to perform actions through these tools based on the defined access levels. By default, all privileges are inherited from the associated role, but you can set different privileges for an individual user to override the role-level privileges.

    "Privileges": {
       "ClientAccess" {
          "ConfigurationManagerAccess": "Full",
          "ApplicationIntegratorAccess": "None",
       },
       "ConfigurationManager" {
  "Authorization": "Browse",
  "ControlmSecurity": "Update",
           }
    }

Under the Privileges object, various Control-M features and capabilities are categorized and grouped together under the following next-level objects:

  • ClientAccess
  • ConfigurationManager
  • Monitoring
  • Planning
  • Tools
  • ViewpointManager

The following table lists all the Control-M features and capabilities in these categories, and provides details of the authorization levels that are available for each feature. The default authorization for all features is Default, that is, inherited from the role.

Control-M feature
(divided by category)

Description

Available authorizations

Full

Update

Browse

None

Default

ClientAccess

SelfServiceAccess

Access Control-M Self Service

✅️

❌️

❌️

✅️

✅️

WorkloadChangeManagerAccess

Access Control-M Workload Change Manager

✅️

❌️

❌️

✅️

✅️

UtilitiesAccess

Access Control-M/Server utilities, Control-M/EM API, and the Control-M Batch Impact Manager Web UI

✅️

❌️

❌️

✅️

✅️

ApplicationIntegratorAccess

Access to Control-M Application Integrator

✅️

❌️

❌️

✅️

✅️

ConfigurationManager

Authorization

Manage authorizations

✅️

✅️

✅️

✅️

✅️

ConfigurationManagerAccess

Access Control-M Configuration Manager

✅️

❌️

❌️

✅️

✅️

Configuration

Manage configurations

✅️

✅️

✅️

✅️

✅️

Operation

Manage operations

✅️

✅️

❌️

✅️

✅️

Database

Perform database maintenance

✅️

❌️

✅️

✅️

✅️

ControlmSecurity

Manage Control-M security

✅️

✅️

✅️

✅️

✅️

Monitoring

Alert

Manage alerts

✅️

✅️

✅️

✅️

✅️

ViewpointArchive

Manage archived Viewpoints

✅️

❌️

❌️

✅️

✅️

Planning

PeriodicalStatistics

Manage periodical statistics

✅️

❌️

✅️

✅️

✅️

ForecastOrBatchImpactManagerConfig

Configure Control-M/Forecast and Control-M Batch Impact Manager

✅️

✅️

✅️

✅️

✅️

PromotionRules

Manage promotion rules

✅️

❌️

❌️

✅️

✅️

PromoteAction

Manage promotion actions

✅️

✅️

❌️

✅️

✅️

Tools

Cli

Access command line tools

✅️

❌️

❌️

✅️

✅️

BatchImpactManagerReport

Generate and view Control-M Batch Impact Manager reports

✅️

❌️

❌️

✅️

✅️

ForecastReport

Generate and view Control-M/Forecast reports

✅️

❌️

❌️

✅️

✅️

ViewpointManager

Collections

Manage Viewpoint collections

✅️

✅️

✅️

✅️

✅️

Hierarchies

Manage Viewpoint hierarchies

✅️

✅️

✅️

✅️

✅️

Filters

Manage Viewpoint filters

✅️

✅️

✅️

✅️

✅️

Viewpoints

Manage Viewpoints

✅️

✅️

✅️

✅️

✅️

Folders

Grants the user access to specific folders, along with an authorization level for each folder. Also enables you to grant different authorizations per job within a specific folder based on Application or Sub Application criteria.

    "Folders": [{
       "Privilege": "Full",
       "ControlmServer":  "aaa*",
       "Library": "bbb*",
       "Folder": "ccc*",
       "Order": true,
       "Jobs": {
           "Privilege": "Full",
           "Application": "aaa*",
           "SubApplication": "bbb*"
        },
    }]

The Folders object has the following properties:

For properties that support multiple values (ControlmServer, Library, Folder, Application, and SubApplication), you can use commas (,) or wildcards (such as * or ?). For more information, see Pattern matching strings in the Control-M Online Help.

Calendars

Associates specific calendars in Control-M with the user, along with an authorization level for each calendar.

    "Calendars": [{
       "Privilege": "Full",
       "ControlmServer": "aaa*",
       "Name": "bbb*"
    }]

The Calendars object has the following properties:

Property

Description

Privilege

Level of authorization to assign for the specified calendar (or calendars) — Full, Update, or Browse

This property is required.

ControlmServer

Name of (one or more) Control-M/Server that processes jobs

Note: If this property is not defined, privileges are granted for the specified calendar (next property) on all Control-M/Servers in the environment.

Name

Name of calendar or calendars

Note: If this property is not defined, privileges are granted for all calendars on the specified Control-M/Server (previous property).

For properties that support multiple values (ControlmServer and Name), you can use commas (,) or wildcards (such as * or ?). For more information, see Pattern matching strings in the Control-M Online Help.

RunasUsers

Associates "run as" users with the user, for running jobs on a Control-M/Agent.

Note: For a user's RunasUser definitions to take effect on jobs in a folder, the same user must be granted sufficient folder privileges — either Full or Update privileges must be granted to the relevant folders.

    "RunasUsers": [{
       "ControlmServer": "aaa*",
       "RunasUser": "aaa*",
       "NodeIdOrGroup": "bbb*"
    }]

The RunasUsers object has the following properties:

Property

Description

ControlmServer

Name of (one or more) Control-M/Server that processes jobs

RunasUser

Name of "run as" user(s) to be granted authorization to execute jobs

Host

Name of a Control-M/Agent computer, remote host computer, or host group where jobs are submitted

You must define at least one of these properties. Once one property is defined, the implied value for any other undefined property is "*".

For multiple values in any of these properties, you can use commas (,) or wildcards (such as * or ?).

You might also want to specify values to be excluded. For example, to exclude user names root or Oracle, you can specify the following string:
"RunasUser": "!(root|Oracle)"

For more information, see Pattern matching strings in the Control-M Online Help.

WorkloadPolicies

Associates specific Workload Policies in Control-M with the user, along with an authorization level for each Workload Policy.

Workload policies are groups of jobs that you define for the purpose of balancing the workload and limiting resources used by jobs.

    "WorkloadPolicies": [{
       "Privilege": "Full",
       "Name": "*"
    }]

The WorkloadPolicies object has the following properties. All parameters are required.

Property

Description

Privilege

Level of authorization to assign for the specified Workload Policy or Policies — Full, Update, or Browse

Name

Name of Workload Policy (or Workload Policies)

For multiple values, you can use commas (,) or wildcards (such as * or ?). See Pattern matching strings in the Control-M Online Help.

Note: If the Privilege property is set to Full, the Name property must be set to "*" (all Workload Policies).

SiteStandard

Associates specific Site Standards with the user, along with an authorization level for each one.

Site Standards are collections of settings that are applied to folders and jobs to ensure that web users follow organization standards.

    "SiteStandard": [{
       "Privilege": "Full",
       "Name": "*"
    }]

The SiteStandard object has the following properties. All parameters are required.

Property

Description

Privilege

Level of authorization to assign for the specified site standard(s) — Full, Update, or Browse

Name

Name of site standard(s)

For multiple values, you can use commas (,) or wildcards (such as * or ?). See Pattern matching strings in the Control-M Online Help.

SiteCustomization

Associates specific Site Customizations with the user, along with an authorization level for each one.

Site Customizations are collections of settings that are applied to jobs to limit web users' access to job properties or to restrict the types of jobs that web users can create.

    "SiteCustomization": [{
       "Privilege": "Full",
       "Name": "*"
    }]

The SiteCustomization object has the following properties. All parameters are required.

Property

Description

Privilege

Level of authorization to assign for the specified site customization(s) — Full, Update, or Browse

Name

Name of site customization(s)

For multiple values, you can use commas (,) or wildcards (such as * or ?). See Pattern matching strings in the Control-M Online Help.

Services

Grants the user authorization to view services and to perform job actions, order, hold, and release services.

A service is a group of jobs that are aggregated based on various job filtering criteria.

    "Services": [{
       "Privilege": "Full",
       "Name": "*",
       "AllowedActions":
            {"DrillDown": true,
           "Run": true,
           "Hold": true,
           "Resume": true,
           "ViewOrderableService": true}
    }]

The Services object has the following properties:

Property

Description

Privilege

Level of authorization to assign for the specified service(s) — Full, Update, Browse, or None

This property is required.

Name

Name of service(s)

For multiple values, you can use commas (,) or wildcards (such as * or ?). See Pattern matching strings in the Control-M Online Help.

This property is required.

AllowedActions

Actions that the user is authorized to perform on the service(s)

Specify each action as a next-level property, and set it to a Boolean value — either true or false.

Note: If this property is not defined, all actions are set to a default of false.

You can specify any of the following actions:

  • DrillDown – Drill down to view jobs
  • Run – Order a service and run its jobs
  • Hold – Hold a service, that is, stop jobs from running
  • Resume – Release the service and resume job running
  • ViewOrderableService – View orderable services that were started by other users

Events

Grants the user authorization to manage events, by associating specific events with the user and assigning an authorization level to each one.

    "Events": [{
       "Privilege": "Full",
       "ControlmServer": "aaa*",
       "Name": "*"
    }]

The Events object has the following properties:

Property

Description

Privilege

Level of authorization to assign for the specified event(s) — Full, Update, or Browse

This property is required.

ControlmServer

Name of (one or more) Control-M/Server that processes jobs

Note: If this property is not defined, privileges are granted for the specified event (next property) on all Control-M/Servers in the environment.

Name

Name of event(s)

Note: If this property is not defined, privileges are granted for all events on the specified Control-M/Server (previous property).

For properties that support multiple values (ControlmServer and Name), you can use commas (,) or wildcards (such as * or ?). For more information, see Pattern matching strings in the Control-M Online Help.

Mutexes

Grants the user authorization to manage mutexes (also known as control resources), by associating specific mutexes with the user and assigning an authorization level to each one.

    "Mutexes": [{
       "Privilege": "Full",
       "ControlmServer": "aaa*",
       "Name": "*"
    }]

The Mutexes object has the following properties:

Property

Description

Privilege

Level of authorization to assign for the specified mutex (or mutexes) — Full, Update, or Browse

This property is required.

ControlmServer

Name of (one or more) Control-M/Server that processes jobs

Note: If this property is not defined, privileges are granted for the specified mutex (next property) on all Control-M/Servers in the environment.

Name

Name of mutex or mutexes

Note: If this property is not defined, privileges are granted for all mutexes on the specified Control-M/Server (previous property).

For properties that support multiple values (ControlmServer and Name), you can use commas (,) or wildcards (such as * or ?). For more information, see Pattern matching strings in the Control-M Online Help.

Semaphores

Grants the user authorization to manage semaphores (also known as quantitative resources), by associating specific semaphores with the user and assigning an authorization level to each one.

    "Semaphores": [{
       "Privilege": "Full",
       "ControlmServer": "aaa*",
       "Name": "*"
    }]

The Semaphores object has the following properties:

Property

Description

Privilege

Level of authorization to assign for the specified semaphore (or semaphores) — Full, Update, or Browse

This property is required.

ControlmServer

Name of (one or more) Control-M/Server that processes jobs

Note: If this property is not defined, privileges are granted for the specified semaphore (next property) on all Control-M/Servers in the environment.

Name

Name of semaphore or semaphores

Note: If this property is not defined, privileges are granted for all semaphores on the specified Control-M/Server (previous property).

For properties that support multiple values (ControlmServer and Name), you can use commas (,) or wildcards (such as * or ?). For more information, see Pattern matching strings in the Control-M Online Help.

GlobalEvents

Grant the user authorization to manage global events, by associating specific global events with the user and assigning an authorization level to each one.

    "GlobalEvents": [{
       "Privilege": "Full",
       "Name": "*",
    }]

The GlobalEvents object has the following properties. All parameters are required.

Property

Description

Privilege

Level of authorization to assign for the specified global event(s) — Full, Update, or Browse

Name

Name of global event(s)

For multiple values, you can use commas (,) or wildcards (such as * or ?). See Pattern matching strings in the Control-M Online Help.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*