Running your Web User Interface server with security active

If the Web User Interface server is running with the CICS® system initialization parameter SEC set to YES, you can control who can access the Web User Interface, what resources they can see, what actions they can perform, and the use of the view editor.

If you have already set up CICSPlex® SM security for use with the CICSPlex SM API, users have the same level of access with the Web User Interface as they do with the API.

When you attempt to connect to a Web User Interface server, the CICSPlex SM Web User Interface Signon Panel is displayed. The user ID and password entered in this panel are passed to the Web User Interface server, in plain text over the TCP/IP connection, unless you are using SSL support, and then verified by the external security manager. If the external security manager supports mixed case passwords, and this feature is active, an icon is displayed next to the password field when you sign on.

All users who are successfully signed on to the Web User Interface have access to all of the customizable view and menu help pages, if the customizable view and menu help is served by the Web User Interface.

If security is active, messages produced by auditing system programming interface commands contain the user ID used to log on to the WUI. See SPI commands that can be audited.

To control who is allowed to sign onto the Web User Interface server, you can protect the Web User Interface CICS application ID by using RACF® APPL checking. See RACF classes for protecting system resources.

Access to managed resources uses standard CICSPlex SM security using profiles in the CPSMOBJ class. For example, to see a CICS region view, the Web User Interface user needs READ authority through the CPSMOBJ class profile OPERATE.REGION.context.scope.

Access to CICS resources, and actions on resources in a view, use the simulated CICS security checking of CICSPlex SM, which uses the normal CICS RACF resource and command security profiles. For example, to issue the shutdown action against a CICS region, if command security is active in the target CICS region, the Web User Interface user would need UPDATE authority to the SHUTDOWN command in the CCICSCMD class.