To make a user or group have read only access we need to update EEM to block certain users/groups from running sendevents and SendServerEvent.

• Open EEM, and login under WCC application (example WCC0002).
  
  
• Go to Manage Access Policies.
  
  
• Select "JobActionAutoSys".
  
  
• Select "JobActionAutoSysDefault".
  
  
• Select "Save As" and give it a name.
  
  
• Now check off "Explicit Deny" and click save.
  
  
• Click on "Identity Access Control List".
  
  
• Enter the identity you would like to block.
  
  
• Search for the user and select it from the box and press the down arrow.
  
  
• Remove the following users from your current list of identities in your new Explicit Deny: Commander, ConsoleOperator, Scheduler, Supervisor.
  
  Do this so all you see is your newly added user.
  
  NOTE: This is assuming that the original JobActionAutoSysDefault policy was not modified from it original policies.
  
  
• Make sure none of the default boxes are checked off and check the boxes of the actions you would like to block the user from doing.
  
  
• Click save and logout and login to WCC and that users actions will be blocked.

Notes:
You can add more users to this new Explicit Deny.
Make sure in WCC you have filters turned on and EEM turned on, under the "Configuration Manager, Servers", then select the server.

It may take a while for the new policy to get synchronized with WCC. To manually synchronize EEM and WCC, go to the Configure tab in EEM. Click on the Session link. Select the Synchronize Cache and Synchronize Push links to sync them up.

This also restricts the SendServerEvent.

Your user/group should now, not be able to run sendevents if you checked the sendevent box.