Why are WebSphere Cast Iron V6.3 users who are members of the local "user" or "viewer" groups allowed to publish projects onto the appliance? What are the security risks of this, and what should I
In WebSphere Cast Iron V6.3, the local "viewer" group has an unintended elevated privilege which allows it to be able to publish projects onto the appliance.
As a result of an unintended elevated privilege, users under the local "viewer" or "user" groups are able to publish projects onto the appliance.
Keeping this in mind, verify that your appliance users, under the "user" and "viewer" groups, are trusted with the role of publishing projects.
An internal APAR has been raised to address this problem in a future WebSphere Cast Iron V6.3 fix pack.