Control-M Automation API Agent Certificate Management Authorization Changes

28 May 2026

From Control-M/EM 9.0.27, planned for release in October 2026, BMC is changing the role authorization (Access Control) categories and levels for the Control-M Automation API operations that enable you to configure certificates on SSL/TLS-configured Agents and manage and rotate Certificate Authorities (CA). These changes enable Control-M to maintain consistent security and improve role-based access control (RBAC).

The functionality of these API operations remains unchanged. Only the Access Control categories, Access Levels, authorization metadata, and audit classifications will change.

Control-M Automation API Agent Certificate Management Operation Authorization Categories and Levels

The following table describes the current and upcoming (in Control-M 9.0.27) categorization and authorization levels for all Control-M Automation API Agent certificate management operations.

Control-M Automation API Operation	Access Control Category		Access Level
	Current	Control-M 9.0.27	Current	Control-M 9.0.27
config server:agent:csr::create	Configuration	Security   Change	Browse	Update   Change
config server:agent:crt::deploy	Configuration	Security   Change	Browse	Full         Change
config server:agent:crt:expiration::get	Configuration	Security   Change	Browse	Browse
config ca:server:agent:list::get	Configuration	Security   Change	Browse	Browse
config ca:server:agent::add	Configuration	Security   Change	Browse	Browse
config ca:server:agent::delete	Configuration	Security   Change	Full	Full

BMC recommends that you do the following:

• Review the roles that are assigned to users or service accounts that call Control-M Automation API Agent certificate management operations. For more information, see Control-M Automation API Authorizations.
• Change the role authorizations to the new Access Control categories and levels after you upgrade to Control-M 9.0.27, as described in Adding a Role.