10 Replies Latest reply on Aug 18, 2019 2:15 PM by Mark Francome

    Map Control-M/EM groups in Control-M/Server security.

    Chandrasekaran Venkataraman
      Share This:

      We are on Control-M (EM and Server) 9.0.18 in Compatibility mode with Oracle database.

       

      We use LDAP for Control-M/EM authentication and authorization; have created groups for permissions (browse/update/control) and mapped to AD groups.

       

      Control-M/Server NOT in full security mode.

       

      What we are trying to achieve: We want to restrict Ordering / Forcing jobs on to AFJ when the Active entities reach a certain threshold.

       

      In one of the community posts here (sorry, don't recall the exact one), it was suggested that we could accomplish it using the ctmsec from Control-M/Server for specific user or group. However, these groups/users must be defined within Control-M/Server security.

       

      Questions here are...

      1) How do we map existing groups in Control-M/EM to Control-M/Server security?

      2) When Control-M/EM uses LDAP for authentication, as what user does the Control-M/EM submit requests onto Control-M/Server? We have these users at the moment:

       

      ctmnpsrv (OS user that owns Control-M/Server installation)

      bimuser

      ARCUSER

      GCSERV

      em_system_user

      DUMMYUSR

       

      when we tested switching off ORDER and FORCE using ctmsec utility for above users, there was no visible impact on LDAP/AD users ordering from Control-M Workload Automation GUI.

       

      Appreciate your help and guidance!

       

      Thanks & Regards,

      Chandru Venkataraman

        • 1. Re: Map Control-M/EM groups in Control-M/Server security.
          Keyur Patel

          Hi,

           

          • You can create one user in AD and give permission to read in AD tree, configure this user EM system parameter via CCM to allow access to AD, Activate changes
          • Define LDAP name in EM system parameter in the advance section.
          • Create group in AD and add users based on user profile. i.e. AD_Group
          • Create group in EM security and add AD group in the LDAP tab. i.e. Group1EMLDAPsetting.PNGEMgroup.PNG

           

          Thanks

          2 of 2 people found this helpful
          • 2. Re: Map Control-M/EM groups in Control-M/Server security.
            Keyur Patel

            Hi

             

            if you are using Run As feature and defining user\service accounts in the CCM, Also if you are using same user\service account in the Control-M job properties then Job will under defined user account credentials

             

            If you configuring Control-M agent service to use log on as service and defining user\service account at agent service level, then All jobs will run using same user\service account

             

            I don't think so that below accounts can be associated to any LDAP group.

            bimuser

            ARCUSER

            GCSERV

            em_system_user

            DUMMYUSR

             

            Hope this will further clarify..

            Thanks

            • 3. Re: Map Control-M/EM groups in Control-M/Server security.
              Bhanu Prakash Badiginchala

              When a user orders a job his credentials & privileges are factored in to check if they have the authority to do that specific activity. So, that should explain why there was no impact when the permissions are restricted on the other accounts you mentioned.

               

              To restrict the users, you may need to look at the group authorizations in CCM (tabs like Active, Privileges, Folders etc):

              That could be what you need. Below is the documentation on what each setting does:

              Control-M 9.0.18.200 Control-M Documentation - Control-M - BMC Documentation

               

              Thanks,

              Bhanu

              • 4. Re: Map Control-M/EM groups in Control-M/Server security.
                Chandrasekaran Venkataraman

                Hi Bhanu Prakash,

                 

                Maybe I didn't explain my requirement clear enough...

                EM authorizations are fine. Meaning, user gets what s/he is entitled for. All this is working fine.

                 

                We are trying to turn-off order and force access for user/s dynamically when a certain threshold is reached for the active entities. Very similar to what's described in this thread;

                How do you ensure to not exceed the limit of tasks in Control-M in a Max. Tasks Contract

                 

                Specifically, we are interested in do what's suggested therein by @Stephan M?ltner

                 

                -------------------------------------------------------------

                Hi Mario,

                 

                I´ve found a way without stopping and starting the control/M server, cause a automated stop/start of the controlm/m server could create other problems too (what if the server do not start again, etc....).

                 

                First, here`s the summary of the issue:

                "ISS04031968

                If Full security is enabled, then any user for who no privileges are defined is allowed to do nothing.

                If Full security is disabled, then any user for who no privileges are defined is allowed to do everything. But if the priviliges for that user ARE defined, then he is still only allowed to do what he has been allowed."

                 

                You just need to switch of the control/m full server security, then create a group (in the server security) which is allowed to order and force jobs (defined in the "Active Jobs File Authorization"). And if your AJF reached a specified point (tested for example with: ctmpsm -LISTALL | grep "^0" | wc -l|awk ' { print $1 } ') you just need to chance this two parameters of the group to N:

                  ctmsec -ACT_UPDATE <groupname> "*" "*" -FORCE N

                  ctmsec -ACT_UPDATE <groupname> "*" "*" -ORDER N

                 

                The next day you should turn it to Y again ;-).

                 

                If you still have some question, just write me!

                ----------------------------------------------------------------

                 

                How do we map existing Control-M/EM security groups to Control-M/Server security users/groups?

                 

                Thanks & Regards,

                Chandru Venkataraman

                • 5. Re: Map Control-M/EM groups in Control-M/Server security.
                  Chandrasekaran Venkataraman

                  hi Keyur,

                  When Control-M/EM is LDAP integrated, an LDAP user logs in with domain credentials and orders a job/folder. Control-M/EM perform authorization check based on the privileges defined in Control-M/EM (CCM -> Authorizations -> Security), yes?

                  Then on the Control-M/Server side (Full security NOT enabled), as what user does this request get processed? Does NOT appear to be the domain user, nor these out of the box users:

                  bimuser

                  ARCUSER

                  GCSERV

                  em_system_user

                  DUMMYUSR

                  • 6. Re: Map Control-M/EM groups in Control-M/Server security.
                    Keyur Patel

                    Hi

                     

                    I am not fully aware of, how did you perform installation for Control-M EM and server, But I would say that the user account you have used for base installation. as per example emuser or ctmuser, Check which user are you using to connect to CtrlmDB and EmDB.

                     

                    Thanks

                    • 7. Re: Map Control-M/EM groups in Control-M/Server security.
                      Bhanu Prakash Badiginchala

                      Got it.

                       

                      But it doesn't look like there is a way to map EM groups to Control-M Server groups. It kind of makes sense this way:

                      When a job is ordered, we can assume that the user ID is passed to Control-M Server so that the corresponding privileges can be verified within Control-M Server. This gets complicated when EM has to send the group details as well. And what if the user id part of multiple EM groups? So, I assume the groups are deliberately made "unmappable".

                       

                      However, you can map User IDs between EM & Server. Even the LDAP User IDs can be mapped by just using the LDAP User ID as the User name in . But each User ID needs to be added into Control-M Server Security.

                       

                      Thanks

                      2 of 2 people found this helpful
                      • 8. Re: Map Control-M/EM groups in Control-M/Server security.
                        Chandrasekaran Venkataraman

                        Thanks, Bhanu!

                        "However, you can map User IDs between EM & Server. Even the LDAP User IDs can be mapped by just using the LDAP User ID as the User name in . But each User ID needs to be added into Control-M Server Security."

                         

                        Can you please guide me on this part?

                         

                        I added a new user with same name as my domain (AD) user name and disabled all privileges under ctmsec -> Active Jobs File Authorization.

                        When I logged in to the GUI and ordered a sub-application, it was successful. I could do pretty much or actions; hold, free, kill, etc as well.

                         

                        To me it seems Control-M/Server simply disregards its security and goes by whatever EM authorizes.

                        • 9. Re: Map Control-M/EM groups in Control-M/Server security.
                          Bhanu Prakash Badiginchala

                          How did you add to the Control-M Server security?

                          DOMAIN\USER_ID or just USER_ID?

                          I added just USER_ID.

                           

                          And the screenshot you added shows AJF authorizations. What about Folder authorizations? Did you restrict there?

                          1 of 1 people found this helpful
                          • 10. Re: Map Control-M/EM groups in Control-M/Server security.
                            Mark Francome

                            You said in your first post that Control-M Server security is not switched on, therefore the definition in your screenshot is ignored.

                             

                            Also note that having the EM_BYPASS_CTMSEC set to Y will cause Control-M Server security to be ignored (i.e. everything will be done on the EM side).