This article gives a high level architectural flow on how WebUI or WCC ECLI (Enterprise Command Line) ECLI works

The way in which WCC's ECLI sort of works is like this:

WCC and Autosys should be using same EEM configuration (Autosys cannot be using Native security for ECLI to work)

1) WCC ->  Configuration -> Autosys server definition ->  There is a monitorid

2) This monitor id  in EEM ->  WorkloadAutomationAE  application ->  should have an application group membership with name:  WorkloadAutomationAEWebService.   This is the account that is used by WCC to connect to Autosys Web Server

3) AutosysWebServer process runs command  $AUTOSYS/bin/AutosysCommandWrapper   (this module should exist under root ownership with sticky bit set on it.  That's how it is able to authorize any users running commands).   List of allowed commands is in  $AUTOSYS/config/AutoSysCommandFilters.txt    

4) Then on top of that :

WCC  Logged in User  OR  a Credential User Defined    should exist as a valid Operating System user  on the AEWS host where the command will be run

Some customers just create a shared account and define that as  a Global Credential in WCC (   _GLOBAL_:user123     for example).  This will be shared by any WCC user to run ECLI or JIL uploads etc.,

5) When a WCC user now tries to run ECLI command:

1) monitorID is validated in EEM for permissions in WorkloadAutomationAE application and if that user has membership of WorkloadAutomationAEWebService.  If not Error 403 is normally seen.  

2) if above is successful, then the  currenct wcc logged in user OR a defined Credential user's  credentials are passed using a SAML token to the AEWS URL

3) AEWS server filters the command against AutoSysCommandFilters.txt  and runs the command using the SAML token passed

4) AutosysCommandWrapper    uses that to validate the credential passed to make sure it is a valid OS user on the AEWS host

5) runs the command, and passes the output back to WCC.

So basically, to allow users to run ECLI commands, ensure the credential user defined in WCC  or the logged in WCC user should have an account on the Autosys Web Server operating system and should be able to run the same commands on that operating system

On a high level:

1) monitorID has to be member of the EEM application group,

AND

2)

{ Either every WCC logged in user should exist on the operating system of AEWS host

OR

A shared credential should be created as a _GLOBAL_ credential, this has to exist as an operating system user on AEWS host. All logged in WCC users would be able to share this to run commands on the AEWS host

}