Introduction: 

How to provide read only access to group members so that they can view the jobs in WCC but cannot perform any actions like send event.

Environment:  

CA WAAE 11.3.*

CA EEM 12.*

Instructions: 

We presume that the users are already created and assigned to this group and can access WCC with default permissions. Now we will restrict those users to have only read access to the jobs.

Below is an example with three sample users and application group:
1. Login into EEM selecting the WorkloadAutomationAE as the application. Create a group App_Team_1 and users Appteam_user1, Appteam_user2 & Appteam_user3 are part of this group.
2. Go to the as_job policy under "Manage Access Policies". Create a new as_job policy.
3. Under Identities section, select Type as Global Group and search for your app group. In this case it is App_Team_1. And click the right arrow.
4. Under the "Access Policy Configuration" select everything except "read" and under add resource, add your instance name.* (E.g: ACE.*) as you are applying this instance wide.

5. Scroll to the top and select "Explicit Deny" and click save. 

Note: Your new policy will be under "Explicit Denies" after you save. It won’t show under "Explicit Grants"

Now go to Permission Check in EEM and see if the user has allow for read and deny for the rest of the Actions Or you can login into WCC as that application user, filter jobs and try to run jobs or put them onhold then you'll get an error: "Error: E142004 Error occurred while sending On Hold event to BOX1 job. Reason:CAUAJM_W_10419 Job Execute Access Denied! "