What  permissions and privileges are needed to be defined in user security authorizations in order for a user to be able to consume all of the endpoints in Control-M Automation API?

Knowledge Article

What  permissions and privileges are needed to be defined in user security authorizations in order for a user to be able to consume all of the endpoints in Control-M Automation API?
Control-M/Enterprise Manager
Control-M Automation API
Control-M Automation API 9.0.00 and higher
Control-M/Enterprise Manager
Control-M Automation API
Control-M Automation API 9.0.00 and higher
What permissions and privileges need to be defined in user security authorizations for a user to be able to consume all of the endpoints in Control-M Automation API?
Putting items such as Control-M Workload Automation, Utilities, EM, API, etc. to Full is not enough.

 ·         The minimal privileges needed to log in and get an access token

 
    Control-M/Enterprise Manager 9.0.19.2xx and lower:

                     Privileges Authorizations
 
                    Category: Client Access
                                Control-m Workload Automation, Utilities, EM Api,…:  Full
                 
                      Category: Control-M Configuration Manager
                                Control-M Configuration Manager: Full
                             Configuration: None
                             Operation: None

                        Please Note: The CCM FULL  privilege allows the user to log in to the CCM.
                       The other privileges in the "Control-M Configuration Manager" privilege group affect what they can do once logged in.
                       These other privileges can be set to browse or none as appropriate, as long as the "CCM" privilege is FULL,
                        the user can get the token from the CMS (so AAPI can function)

Control-M/Enterprise Manager 9.0.20 and higher:
(refer to documentation for 9.0.21.300  )

                     Privileges Authorizations
 
                    Category: Client Access
                                Control-M Automation API:  Full
 
       * The minimal privileges for configurations (e.g. access to Configuration Server functionality)          
 
                     Privileges Authorizations
                           
                      * Category: Control-M Configuration Manager
 
                            Control-M Configuration Manager: Full (Control-M/Enterprise Manager 9.0.19.2xx and lower)
                            

 Grants
Configuration: None
 		Access to CMS topology information
 
config servers::get
config server:agents::get <ctm>
config server:remotehosts::get <ctm>
 
Configuration: BrowseAccess to item detail information
 
config server:agent:params::get <ctm> <agent>
 
config server:params::get <ctm>
config server:remotehost::get <ctm> <remotehost>
config server:hostgroups::get <ctm>
config server:hostgroup:agents::get <ctm> <hostgroup>
Configuration: UpdateAdding, Updating, Modifying configurations
config em:param::set <name> <value>
config server::add <host> <ctm> <id> [port]
config server:agent::add <ctm> <host> <port>
config server:agent::disable <ctm> <agent>
config server:agent::enable <ctm> <agent>           
config server:agent::ping <ctm> <agent>
config server:hostgroup:agent::add <ctm> <hostgroup> <host>
config server:hostgroup:agent::delete <ctm> <hostgroup> <host>
config server:remotehost::add <ctm> <remotehost>
Configuration: FullDeleting configurations and Failover
  config server::delete <ctm>
  config server:agent::delete <ctm> <agent>         
  config server:remotehost::delete <ctm> <remotehost>
  config server::failover <ctm>
Operation: UpdateSpecific actions on item
config server:remotehost::authorize <ctm> <remotehost>

 
 
·         The minimal privileges for Build
 

Access token privileges are enoughbuild <definitionsFile>
  

 
 
·         The minimal privileges for Deploy
 
Folders and Run As Authorizations
 

At least browse level on all retrieved folders
 
Folders:  
Access level: Browse, Control-M:*, Folder: *		deploy jobs::get
At least update the level on all folders deployed
 
Permission to write jobs that “run as” on specific hosts for all jobs deployed.
 
 
Folders:
Access level: Update, Control-M:*, Folder: *
 
Run As:
Control-M:*, Run As: *, Node/Group : *		deploy <definitionsFile>
Full access level on all folders to delete
 
Folders:
         Access level: Full, Control-M:*, Folder: *		deploy  folder::delete

 
                                                              
·         The minimal privileges for accessing the Run   Events management
 
Prerequisite Conditions  Authorizations
 

At least Browse level for Prerequisite Conditions retrieved
 
Prerequisite Conditions:
Access Level: Browse,  CONTROL-M:*,  Condition: *		run events::get  -s <search query>
At least Update the level for Prerequisite Conditions to add
 
Prerequisite Conditions:
Access Level: Update,  CONTROL-M:*,  Condition: *		run event::add <ctm> <name> <date>
Full access level for Prerequisite Conditions to delete
 
Prerequisite Conditions:
Access Level: Full,  CONTROL-M:*,  Condition: *		run event::delete <ctm> <name> <date>

 
 
·         The minimal privileges for accessing the Run Resource management
 
Quantitative and Control Resources Authorizations
 

At least Browse level for Quantitative and Control resources retrieved
 
Quantitative Resource:
Access Level: Browse,  CONTROL-M:*,  Resource: *
 
Control Resource:
Access Level: Browse,  CONTROL-M:*,  Resource: *		run resources::get  -s <search query>
At least Update level for Quantitative resources  added or updated
 
Quantitative Resource:
Access Level: Update,  CONTROL-M:*,  Resource: *		run resource::add <ctm> <name> <max>
run resource::update <ctm> <name> <max>
Full access level for Quantitative resources deleted
 
Quantitative Resource:
Access Level: Full,  CONTROL-M:*,  Resource: *		run resource::delete <ctm> <name>

 
 
 
·         The minimal privileges for accessing the Run jobs
 
Active Authorizations
 

For accessing jobs run information. 
Active Privileges filter needs to allow access to the jobs.
 
Active:
Jobs Filter: off
Or
Jobs Filter: Include all viewable jobs		run job:status::get <jobId>
run jobs:status::get [limit] -s <search query>
run status <runId> [startIndex] [-i]
 
 
For job actions.  In addition to Filter, specific job actions need to be allowed
 
Active:
Jobs Filter: off, or includes all viewable jobs
Actions:  Turn on all allowed actions		run job::confirm <jobId>
run job::delete <jobId>
run job::free <jobId>
run job::hold <jobId>
run job::kill <jobId>
run job:log::get <jobId>
run job:output::get <jobId> [runNo]
run job::rerun <jobId>
run job::runNow <jobId>
run job::setToOk <jobId>
run job::undelete <jobId>
  

 
 
·         The minimal privileges for accessing the Run  run/order
 
Folder Authorizations
 

  
Same as deploy
 
At least update the level on all folders deployed
 
Permission to write jobs that “run as” on specific hosts for all jobs deployed.
 
Folders:
Access level: Update, Control-M:*, Folder: *
 
Run As:
Control-M:*, Run As: *, Node/Group : *		run <jobDefinitionsFile>
At least update the level on all folders ordered
 
Folders:
Access level: Update, Control-M:*, Folder: *		run order <ctm> <folder> [jobs]


·         The minimal privileges to run Control-M Reports

                     Privileges Authorizations
                           
                      * Category: Monitoring and Administration Tools
 
                            CLI: Full (Control-M/Enterprise Manager 9.0.20.x and higher)

Additional Information:
Customers viewing this solution may find value in the following self-help Connect with Control-M video.
Control-M/Enterprise Manager
Control-M Automation API
Control-M Automation API 9.0.00 and higher
Attachment(s):