We want to block/restrict one FID user from login to Web viewer 14. This FID is being used to load and access/print reports in SAR through batch so we can not remove it from SAR (DEF USER).
The FID is able to login to Web Viewer 14 (online) and to avoid any mis-use of this FID we want to block it's login ability to Web viewer application.

On this MF system Top Secret Security (TSS) product is in use and users need access to FACILITY(WVFAC) to login to Web Viewer, if that access is missing they can not login. However we are not sure if removing FID access to FACILITY(WVFAC) may impact it's other functionality.

Another option we noticed is using WV_SECURITY_MAINFRAME_APPLID variable.
The WV_SECURITY_MAINFRAME_APPLID environment variable in the Web Viewer configuration (which is the APPLID used for SAF calls) should match the APPLID defined within the Top Secret (TSS) security manager's facility matrix for the Web Viewer:
Output Management Web Viewer for z/OS 14.0 > Installing > Prepare for Installation > CCS Apache Tomcat Worksheet

Symbol/Variable                                                                                                          Comments/Description

Will setting  WV_SECURITY_MAINFRAME_APPLID parameter in web Viewer config file to be in sync with APPLID value in TSS and not providing access to that APPLID to FID address this issue?

WebSphere Liberty is the application server being used for Web Viewer.

Output Management Web Viewer for z/OS 14.0

Regarding not allowing the batch FID user access to FACILITY(WVFAC), this depends on whether this facility is used by only the STC ID for the WebSphere Liberty for Web Viewer or by is also used by other WebSphere Liberty servers.
If the STC ID is only used by the Web Viewer WebSphere Liberty server then not allowing access will only affect Web Viewer, but if it’s used by other WebSphere Liberty servers then they will be affected as well.
If that is the case consider creating a new facility specifically for Web Viewer and a new STC ID specifically for the WebSphere Liberty for Web Viewer. That would isolate the new facility to Web Viewer but would also need to make sure that all the other users have access to the new facility and the new STC ID has all the proper authority.

A new APPLID would need to be set up in security and all users that do need to access Web Viewer need to have access to the new APPLID. The variable WV_SECURITY_MAINFRAME_APPLID can then be used to tell Web Viewer to new APPLID name.

Another option is repository groups.
If already using repository groups can disallow the batch FID user access to any repository group.
In this case repository groups were not being used so this would mean all users that do need to login need access to a repository group and would need to either select or type in the group name on the login page (which could be confusing to the users).