2 Replies Latest reply on Oct 9, 2019 8:52 AM by Josh Andersen

    What's the difference in EM_BYPASS_CTMSEC VS SECURE and which one should i use with LDAP

    Josh Andersen
      Share This:

      I'm attempting to secure our CM & EM  with only the EM user/group management in conjunction with LDAP Roles.

      There seem to be two security options which prevent central user management.

       

      EM_BYPASS_CTMSEC VS SECURE

      Control-M 9.0.18.200 Control-M Documentation - Control-M - BMC Documentation

       

      What is the difference between the two?

       

      I'm leaning towards EM_BYPASS_CTMSEC  Y & Leaving SECURE Y as well, but the documentation doesn't seem to fully disclose the impact or which should be used and why.

       

      Does SECURE Y require the user exist in the CM & has the correct permissions to modify jobs?

      Is this more about local system security like a user that has access to the CM file system?

       

      Does EM_BYPASS_CTMSEC allow only the EM to bypass/ manage security while maintaining some local security on the CM?

       

       

       

       

       

       

      Connect with Control-M: EM Authorizations - didn't seem to talk about SECURE

      https://www.youtube.com/watch?v=189KGouYudU&feature=youtu.be&list=PLu3XvW2Tbj731gkQtyplYJT2EKpbsccxV

        • 1. Re: What's the difference in EM_BYPASS_CTMSEC VS SECURE and which one should i use with LDAP
          Mark Francome

          Yes, it is not a simple issue. I will summarise my understanding, others may have different ideas.

           

          The Control-M Server security is switched on via the main menu and updated via the ctmsec utility. Way back, the Control-M Server was developed and the initial EM Server was a separate product. This is why there is some duplication in the admin tasks, security being the main example. This was always seen as a pain, especially when you consider that the concept of groups did not exist in earlier versions.

           

          I have worked at several sites where security is a huge concern (especially for Unix systems where the Control-M Agent operates as root). Fortunately, these sites don't tend to be very dynamic in terms of adding/deleting users and therefore you can (with the help of groups, LDAP and a naming convention that aids wild-carding) actually maintain both CM Server security and EM Server security as separate and distinct creatures. I actually like doing it this way and tend to use the CM Server security for controlling what users can do and leaving what they can see to the EM Server security.

           

          I think EM_BYPASS_CTMSEC was added with version 8 (or so) to basically switch off the security checking done on the Control-M Server side and remove the overhead of having 2 security setups.

           

          If you do have secure = Y on the Control-M Server then there are a couple of userids that need to be in the table (these are added for you) but if you use EM_BYPASS_CTMSEC that checking is bypassed anyway. Controlling local file access (under the Agent) is usually done via other parameters.

           

          Alternatively, you could add * * access to all groups in the ctmsec tables, have secure = Y on the Control-M Server and not use the BYPASS - which would effectively do the same. The wild-cards are handy, use * to represent anything (including nothing) or $ in place of any one character within the ctmsec system.

          1 of 1 people found this helpful
          • 2. Re: What's the difference in EM_BYPASS_CTMSEC VS SECURE and which one should i use with LDAP
            Josh Andersen

            Thank you,

            You have given me multiple options in trying to complete my goal. ** while doing migration of users and ultimately EM_BYPASS_CTMSEC once all user/Groups have been properly configured on the EM.

             

            Folder Definition Check-in, Job Output, and Job Log seem to be the 3 main things we need blocked by the CM.

            Using the * username on the CM and adding Authorized AJF **  Log, Output works for moving management of these permissions to the EM while maintaining the same level of security for folder definitions and anything else that might update the CM.

             

            This seems to be more surgical approach.

             

            I double checked and the * user is not additive and for some reason this user is grouped with user ctmagent* which might be another workaround/quark of some sort.

             

            Afterwards it seems like we will need to copy individual user permissions into the EM Matching the following

            Folder, Authorized AJF <-> Active, and Entities:

            Calendar,

            Prerequisite Condition,

            Log <-> ??? still looking into this one ???,

            Control Resource,

            Quantitative Resource

             

            Thanks again for the help.