search cancel

ICH408I WEBVWR.ADMIN CL(CHA1VIEW) INSUFFICIENT ACCESS AUTHORITY Web Viewer 14.0

book

Article ID: 143295

calendar_today

Updated On:

Products

Deliver View Output Management Web Viewer

Issue/Introduction

We see that when a non-admin user logs on to Web Viewer we get the following in the syslog:

ICH408I USER(...) GROUP(...) NAME(...)

  WEBVWR.ADMIN CL(CHA1VIEW)                                      

  INSUFFICIENT ACCESS AUTHORITY                                  

  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )                

As far as I can see the ICH408I is not indicating a violation as such as the RACROUTE is just checking the level of authority that the user should be given, therefore is there any way this message may be suppressed...?

Environment

Release : 14.0

Component : WEB VIEWER

Resolution

The messages are a result of the security check to see if the user is an administrator. As you would expect, for non-admin users that check fails. There is no means of suppressing the message.

Note: SO14733 reduces the number of messages.  Before this Web Viewer was making a CHA1VIEW WEBVWR.ADMIN security call every time a regular user requests a repository list or report list as well as at login.  This solution removed the calls made every time a regular user requests a repository list or report list.

Additional Information

When a user logs into Web Viewer r14 a security check is made to determine if the user has READ access to WEBVWR.ADMIN.  If the user has access then they are considered an admin and the UI includes the gear in the menu to provide access to the admin functions.

The check is done during login and is saved for the user’s session.  However, if the user does another login (from another machine/browser or because the user logged off or got timed out) then another check is made.

The message cannot be suppressed because:

  • Web Viewer r14 uses an IBM service to make the security check and does not make the RACROUTE call directly.
  • Even if the RACROUTE call was made directly LOG=NONE would not apply as it requires the address space to be APF authorized – Web Viewer r14 runs on a web application server such as Tomcat which runs non-APF authorized.