Controlling access to Web User Interface resources

You can use your external security manager to control user access to views, menus, editors, and help information and control the import and export of views, menus, maps, user groups, and user objects that use COVC.

The navigation frame is exempt from security checks. In order to control user access, you need to create the appropriate profiles in the FACILITY class. The following ESM FACILITY profiles are available:

EYUWUI.wui_server_applid.VIEW.viewsetname: - used to protect view sets.
EYUWUI.wui_server_applid.MENU.menuname: - used to protect menus.
EYUWUI.wui_server_applid.MAP.mapname: - used to protect maps.
EYUWUI.wui_server_applid.HELP.helpmembername: - used to protect help pages.
EYUWUI.wui_server_applid.EDITOR: - used to protect the View Editor.
EYUWUI.wui_server_applid.USER: - used to protect the User Editor and user and user group objects.

where wui_server_applid is the CICS® APPLID of the server.

Users can be given read or update access to WUI resources:

Read -- to use the views, menus, maps and Help information in the main interface, or to export views, menus, maps, user groups, or user objects that use COVC.
Update -- to access the editors and create, update, or remove items that use them, or to import views, menus, maps, user groups, or user objects that use COVC.

To support AUTOIMPORT functions, the user ID that runs the COVG transaction must also be given update access to these FACILITY profiles. This is either the region user ID, or the PLTPIUSR value if a PLTPI table is in use.

If the ESM that you are using, neither grants nor refuses access to a profile (for example, if no RACF® profile is defined), all users who are successfully signed on to the Web User Interface have access to the resources. You can make not authorized the default by setting up a generic profile.

Note: This security is designed to protect the views and menus themselves and not the objects they manage, which is covered by normal CICSPlex® SM security.

When selecting a view set, map or menu to edit or delete within the view editor, only items for which you have update access are listed. However, when selecting an item to copy, all items for which you have read access are shown. This allows you to copy any object for which you have read only access to a private copy in your updateable namespace .

When browsing for views that are accessible, no security exceptions are logged. Users are presented with a list that has been filtered to remove the views that are not accessible. However, when a user attempts an unauthorized action; for example, creating a view in a denied namespace, the EYULOG security exception message EYUVS1100E is issued.