This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
Control-M/Enterprise Manager 7.0.00, 8.0.00, 9.0.00, 9.0.18
How can you give specific Control-M users or groups the ability to add and update CM accounts (Connection Profiles) using Control-M Configuration Manager without giving the user full access to all the objects and parameters under Control-M Configuration Manager?
For Control-M\Enterprise Manager Server 9.0.00 and below:
There is an EM System Parameters called, "restricted_cm_admin". When this Parameter is set to TRUE (1), the CM's Authorizations are overridden by Authorizations defined in ctm_em/ini/cm_admin.xml file.
In version 8, there is a Security category in the Authorization dialog which Controls most of the CMs actions.
In order to configure CCM in restricted mode, do the following:
1- Copy the file <EM_HOME>/ini/sample_ cm_admin.xml" to "cm_admin.xml"
2- The file can then be modified to allow/restrict the administration of connection profiles per requirements.
CMS will check if the EM user (or its groups) exists in cm_admin.xml file. If it exists CMS will apply the permissions defined. If it does not exist the EM user won't have permissions to access CM information.
Please, note only EM local users/groups are supported. In case LDAP Authentication is enabled, mapped EM groups needs to be added in <groups> section.
For example: user name test_user has authorizations to SAP,ORACLE on Control M "controlm1" agent "agent1" but not to FILE_TRANS for Control M "controlm2" on all its agents. For a list of valid values for the "<application_type>", login to the Contro-M/Agent and review the "<agent install dir>/ctm/data/CONFIG.DAT file. The CMLIST parameter on that file will list all the proper format for all the modules installed for that Control-M/Agent
3- Save and close the file
4- Turn on the "restricted_cm_admin" system parameter
5- Ensure the user has at least the following privileges:
Control-M Configuration Manager:
- Login: Full
- Configuration: Browse
- Operator: None
- Database Maintenance: Browse
- Control-M/Server Security: Browse
6- After changing "restricted_cm_admin" system parameter to "1" and updating cm_admin.xml file run the following command to refresh the changes:
em ctl -U <em_dbo> -P <password> -C CMS -all -cmdstr "REFRESH_CM_ADMIN_AUTH"
The EM user will have only privileges to add/update the CM accounts/configuration included in cm_admin.xml file
For Control-M/Enterprise Manager Server 9.0.18 and above:
In Control-M\Enterprise Manager Server 9.0.18, there have been changes in Enterprise Manager server authorizations.
This ONLY impacts LDAP authenticated users. Local EM account users are not impacted.
A CAR(Corrective Action Request) has been opened to address this in a future release of the product.
CAR00185485 - When non-admin users login with the LDAP user that belongs to EM group mapped to an LDAP group, they cannot open the connection profile management for the CM even though it should according to the cm_admin.xml
CAR00185485 has been resolved in 18.104.22.168. Supporting documentation in the following link.
If you are unable to install fix pack 200, There are two solutions to assist with this issue:
Set the parameter "restricted_cm_admin = 0" in Control-M/Enterprise Manager Server system parameters.
This can be done in Control-M Configuration Manager(CCM) interface.
Open CCM > right-click Enterprise Manager server > Enterprise Manager server system parameters.
Then enforce the "REFRESH_CM_ADMIN_AUTH" parameter.
Run the EM server utility: em ctl -U <em_dbo> -P <password> -C CMS -all -cmdstr "REFRESH_CM_ADMIN_AUTH"
Temporarily add all the users under the required group in the cm_admin.xml file like the following.
If there were 100 users in the LDAP group environment, create the LDAP group entry name and 100 users entries in the cm_admin.xml file:
*Backup the cm_admin.xml file before editing*
The following video demonstrates this solution: