WDI Role based access implementation scenario

Answer

This Role based access requirement can be satisfied by adding specific administrator user IDs which are assigned the highest permission allowed, including delete. And then using default &WDIUSER to accommodate all others, i.e. read only users.

To support one set of users with read only access and another set with full access, I recommended the following steps. Please perform these steps on a test system first until you are comfortable with them. There is a warning under the Help text.
Warning: Ensure one or more users will have update access to User ID definitions, Roles and Systems before enabling role based access control on a System. Use the Summary button available in the User ID Definition Editor to confirm the access privileges a User ID will have. WebSphere Data Interchange Client will not prevent you from enabling role based access control on a System where no one will be allowed to disabled it or maintain the User ID definitions and Roles.

1. Ensure role-based access is disabled.
- Go to View -> Administration -> System
- Open appropriate system.
- Go to Security Options tab
- Verify that there is no check mark by "Enable Role Based Access Control"
Note: for the System's Security Options tab to be enabled, you will need to connect to DB2 by clicking/opening something in WDI Client, such as bring up a list of maps. (It doesn't really matter what object type, but the DB2 connection needs to exist for the appropriate System first.)



2. Verify that the SuperUser role has all permissions set to the highest allowable setting, including "Delete".
- Go to View -> Administration -> Security
- From Roles tab, double-click "SuperUser"
- From SuperUser's Permissions tab, verify settings are all at maximum. Alternatively, import this SuperUser role in attachment, "SuperUser_Role_highest_permissions.eif"
SuperUser_Role_highest_permissions.eif

3. Add your own userid as a SuperUser.
- Go to View -> Administration -> Security
- From User ID Definitions tab , click New
- Enter your user id value EXACTLY as it is defined to Windows. The value is case sensitive. For example,



This should also match what you specify when you login to Connect to DB2, e.g.



- Move to the Roles tab and move SuperUser from the Unselected Roles list to the Selected Roles list, as below:



-Save user and repeat step (3) to add any other userids as SuperUsers who require full access.

4. Update the &WDIUSER such that no roles are specified and no permissions. The default is read access. This special userid will then be used for all others who access WDI and will be read only. No need to add any userids specifically for this set of users. For example:




5. Enable Role based access.
- Go to View -> Administration -> System
- Open appropriate system
- Go to Security Options tab
- Check the box to "Enable Role Based Access Control"



6. Save Security Options and restart WDI Client.

7. Issue DB2 GRANT statements as appropriate for the (two) Roles.
While Role based security controls what options the user can see, and opens objects accordingly, DB2 GRANT permissions control the underlying database table security and what users would be able to access via WDI Server and/or other DB2 utilities. See the base WDI Server installation:

Windows installation path:
C:\Program Files\IBM\WDIServer\V3.3\ddl\grntec33.ddl

AIX installation path:
/opt/IBM/WDIServer/V3.3/ddl/grntec33.ddl

z/OS installation PDS and member name: EDI.V3R3M0.SEDISQL1(EDISGRNT)