7 Replies Latest reply on Apr 14, 2016 1:00 AM by Zach Warren

    How to secure Folders without Server security

    Paul Robins
      Share:|

      Hi everyone,

      I have a question. I suspect I know the answer, which is 'you can't', but humour me

       

      I want to restrict users to only being able to order jobs with a specified 'Run As' value. Which would be fine if we had Control-M/Server Security turned on, but we don't because Control-M Server Security doesn't integrate with LDAP and we want our User Admin team to be able to administer our users using AD groups and without having to learn an entirely new GUI.

       

      So my question is, can anyone think of a way to restrict job ordering based on the 'Run As' value without reactivating Control-M/Server security, or a way to configure Control-M/Server security so that we don't have to go back to being full time user administrators?!

       

      I wonder if there are any plans to provide complete LDAP integration in the near future....

       

      Thanks,

      Paul.

        • 1. Re: How to secure Folders without Server security
          Mark Francome

          Hi Paul,

           

          Would the EM security be good enough? That is LDAP connectable and you can tie the group to specific "Run As" values (and specific nodes) with the usual wildcarding options. Furthermore, in version 8 I think I am right in remembering that BMC added an option where you could tell the security settings to copy the EM security setting and apply them to the Control-M server, or possibly the other way round. This is to stop the duplication of effort required when defining security settings. I cannot find that option in my notes but I think it was mentioned in one of the early v8 release notes. Now if it is EM security definitions being applied to the Control-M Server then maybe that could assist in this scenario.

           

          Regards,

           

          Mark.

          • 2. Re: How to secure Folders without Server security
            Mark Francome

            The option I was thinking of is EM_BYPASS_CTMSEC which will cause the Control-M Server to Ignore EM security requests, which is maybe what you don't want -

             

            Trending in Support: Control-M/Server 8.0 Enhancements in Fix Pack 2

             

            However the EM Authorizations Webinar has lots about using EM Security -

             

            Connect with Control-M: EM Authorizations - YouTube

            • 3. Re: How to secure Folders without Server security
              Paul Robins

              Thanks very much Mark. I do recall this setting now that you mention it and although it won't address this specific issue it will close a gap that has concerned me. Cheers for that.

              • 4. Re: How to secure Folders without Server security
                Paul Robins

                OK, this is where I've got to with the help of BMCs TSAs.

                - I can secure the AJF using the 'Active' tab filter. I had an issue with the default filter in the user record complementing the restriction in the Group definition and providing general job access.

                - I can secure the folder using the 'Run As Users' and 'Folders' tabs. 'Run As Users' restriction prevents users from creating jobs with a Run As value that they are not permitted to.

                 

                However, at this point none of this restricts a user from ordering a job that they should not be able to based on the above Run As restrictions. So even though they can't create the job, or see the job on the AJF, if someone else (e.g. admin) creates a job in a folder with another Run As value, the restricted user can order it.

                • 5. Re: How to secure Folders without Server security
                  Mark Francome

                  I have tried using setting an Agent to "Run As Users" but the fact that you can only run as those listed users/passords and nothing outside of that kind of restricts things too much.

                  • 6. Re: How to secure Folders without Server security
                    Paul Robins

                    I just wish BMC would change the Run As field back to Owner. It was so much easier to find in documentation and knowledge bases!

                    • 7. Re: How to secure Folders without Server security
                      Zach Warren

                      Hey Paul, put'em in Self Service and turn off their ability to logon to the WLA GUI (with fixpack 8 on v8).  If they can't get to the GUI, then they can't hit the 'Order' button to choose jobs they shouldn't run.

                       

                      Otherwise, I've got a 50% solution for you to play around with .  I say 50% because a user will still be able to order a job, BUT we can kill the job before execution and immediately send an email (or alert) of the violation.  I have tested and verified in my environment.

                       

                      My test is on a UNIX Agent (because I like them the best)

                      -----------------------------------------------------------------------------------

                      Command line : ls -l

                      Owner : ctmag

                      Pre-execution command (the key here): if [[ %%OWNER = "ctmag" ]] then; ctmkilljob -ORDERID %%ORDERID; sleep 5; fi

                       

                      Your pre-cmd is going to check the Run As user of the job and if it equals something you don't want people to be able to order, then basically it kills the job right away.  You need the sleep in there to  give it time to perform the kill.  I found a sleep of 2 was minimum at my site.

                       

                      Set the job to email or send a very urgent alert when "Job was killed." is found in the sysout.  Go big and create a shout destination script that would perform the p_36 command on the OrderID and in turn delete the job from the AJF and reset_ecs --- getting the job out of the system all together.

                       

                      That if statement is in KSH but the logic will work for other shells and could also be translated for Windows.

                      -----------------------------------------------------------------------------------

                      Not really knowing the scale or exact details of your requirement, I hope this solution will help or at least get some gears turning on something creative.

                       

                      Thx

                      - Zach

                      2 of 2 people found this helpful