Schedule Table Access Levels.

Everything about Control-M Enterprise Manager Server installation or setup.
Post Reply
User avatar
BreakFix
Nouveau
Nouveau
Posts: 30
Joined: 24 Sep 2009 12:00

Schedule Table Access Levels.

Post by BreakFix » 19 Dec 2011 11:03

Hi,

I need to create some specific permissions. That is to allow users to browse the schedule tables and widely admin the jobs in the AJF including Order in Jobs. BUT we must revoke the ability to Upload new job definitions into the tables or add new scheduling tables.

Basically separate the support admin and the development.

I'm reading the CTM User Guide 6.4.01. Page 63, it described the access i wish to provide in table 19:
Browse:
Viewing scheduling tables in CONTROL-M/ Desktop. Default: Cannot order or
force jobs. Can be modified to allow ordering and forcing jobs.
Any idea what there modification might be?

Thanks in advance.
/BreakFix

User avatar
fafa1975
Nouveau
Nouveau
Posts: 31
Joined: 18 Mar 2010 12:00

Post by fafa1975 » 20 Dec 2011 10:49

Hi,
You can set permissions in the Authorization form.
You find it in Control/M Desktop or Control/M EM GUI under Tools menu.
You can create users/groups and assign permissions to them.
The quote from CTM User guide is to set in "Scheduling tables" detail tab.
This is the path:
Tools --> Authorizations --> [select a user or group] --> Scheduling tables tab --> [Select or add a scheduling table] --> Set access level value.

Regards,
Fabrizio

User avatar
BreakFix
Nouveau
Nouveau
Posts: 30
Joined: 24 Sep 2009 12:00

Post by BreakFix » 20 Dec 2011 11:37

Thank you Fabrizio,

I am familiar with the basic security framework, we've currently using Browser/Update/Control access groups. What i want to establish is something between Browse and Update access for the Scheduling Tables.

Browse is basically read-only and Update is very permissive.
For example changes / uploads to the scheduling tables must be revoked for the support teams but they might need to order in jobs from the tables.

The details in the documentation suggest the Browse group can be modified to allow ordering / forcing but then doesn't go on to say how.

Bit of a tougher question.
/BreakFix

User avatar
fafa1975
Nouveau
Nouveau
Posts: 31
Joined: 18 Mar 2010 12:00

Post by fafa1975 » 20 Dec 2011 4:11

Maybe you can check Owner tab.
If it is empty, the user can read from Control/M with Desktop, but cannot write to EM. He can upload, but Control/M Server reject request because scheduling table is up to date.
So support user can order jobs (Jobs tab and scheduling table tab), but he cannot modify job definition.

You can check differences between BrowseGroup and UpdateGroup.
Maybe SupportGroup could be a copy of BrowseGroup with Update Access Level for Scheduling tables and all checked flags in Jobs tab.

Fabrizio

User avatar
nicolas_mulot
Nouveau
Nouveau
Posts: 149
Joined: 07 Jan 2010 12:00

Post by nicolas_mulot » 20 Dec 2011 5:40

BreakFix,

You can restrict access to table(s) at the target level, i.e. on the CTM/Server database rather than on the source, i.e. from the EM environment.

The standard utility ctmsec is designed for this.
To address your need, I would recommend to restrict specific rights rather than opening generally restricted right. In other words, do NOT use FULLSECURITY Y in the ctm_menu. This restricts all rights, and you then have to open rights, which is really a nightmare to manage.

The following sequence will allow user emuser to download and order all tables and will prevent this user from deleting of updating (as a result from a TABLE_UPLOAD):

ctmsec -SCHED_UPDATE emuser * -DELETE N -READ Y -ORDER Y -UPDATE N

In that case, emuser is traditional EM user. To prevent users from directly write (or delete) tables, you should give the same kind of authorisations to OS users (E.G. Administrator or any other) to prevent them from creating tables with ctmdefine

Note that user name has to be defined in the CTM/Server security environment before giving him authorisation.
A general review of control-m security is recommended before coding anything related to security at the server level

Cheers
Nicolas Mulot

Post Reply