1 of 1 people found this helpful
Yes, it is not a simple issue. I will summarise my understanding, others may have different ideas.
The Control-M Server security is switched on via the main menu and updated via the ctmsec utility. Way back, the Control-M Server was developed and the initial EM Server was a separate product. This is why there is some duplication in the admin tasks, security being the main example. This was always seen as a pain, especially when you consider that the concept of groups did not exist in earlier versions.
I have worked at several sites where security is a huge concern (especially for Unix systems where the Control-M Agent operates as root). Fortunately, these sites don't tend to be very dynamic in terms of adding/deleting users and therefore you can (with the help of groups, LDAP and a naming convention that aids wild-carding) actually maintain both CM Server security and EM Server security as separate and distinct creatures. I actually like doing it this way and tend to use the CM Server security for controlling what users can do and leaving what they can see to the EM Server security.
I think EM_BYPASS_CTMSEC was added with version 8 (or so) to basically switch off the security checking done on the Control-M Server side and remove the overhead of having 2 security setups.
If you do have secure = Y on the Control-M Server then there are a couple of userids that need to be in the table (these are added for you) but if you use EM_BYPASS_CTMSEC that checking is bypassed anyway. Controlling local file access (under the Agent) is usually done via other parameters.
Alternatively, you could add * * access to all groups in the ctmsec tables, have secure = Y on the Control-M Server and not use the BYPASS - which would effectively do the same. The wild-cards are handy, use * to represent anything (including nothing) or $ in place of any one character within the ctmsec system.
You have given me multiple options in trying to complete my goal. ** while doing migration of users and ultimately EM_BYPASS_CTMSEC once all user/Groups have been properly configured on the EM.
Folder Definition Check-in, Job Output, and Job Log seem to be the 3 main things we need blocked by the CM.
Using the * username on the CM and adding Authorized AJF ** Log, Output works for moving management of these permissions to the EM while maintaining the same level of security for folder definitions and anything else that might update the CM.
This seems to be more surgical approach.
I double checked and the * user is not additive and for some reason this user is grouped with user ctmagent* which might be another workaround/quark of some sort.
Afterwards it seems like we will need to copy individual user permissions into the EM Matching the following
Folder, Authorized AJF <-> Active, and Entities:
Log <-> ??? still looking into this one ???,
Thanks again for the help.