Security checks on event rules

Security checks on event rules enabled by default starting from version 9.5, Fix Pack 1.

Starting from product version 9.5, Fix Pack 1, security checks are enabled by default on event rules. The checks are enabled both for fresh installations and for upgrades from previous versions.

These checks verify that the user saving the event rule has DISPLAY permission on the relevant objects and thereby ensure a higher level of security when accessing event rules data.

To disable the security checks, set the com.ibm.tws.conn.event.security.enabled property to false in the TWSConfig.properties file. The TWSConfig.properties file is located in the following path:
On UNIX operating systems
TWA_DATA_DIR/usr/servers/engineServer/resources/properties
On Windows operating systems
TWA_home\usr\servers\engineServer\resource\properties
When you save the event rules, a security check is automatically performed to verify that you have DISPLAY permission for the following events:
FileMonitor
for all events that reference a workstation, DISPLAY permission is required on the specified workstation.
TWSObjectsMonitor
  • for all job events, such as JobStatusChanged, DISPLAY permission is required on the specified job.
  • for all job stream events, such as Job Stream Status Changed, DISPLAY permission is required on the specified job stream.
  • for Alert, Application Server and Workstation events, DISPLAY permission is required on the specified workstation. If the event type is Child Workstation Link Changed or Parent Workstation Link Changed, DISPLAY permission is required on the specified child or parent workstation.
  • for all prompt events, the following considerations apply:
    • if the prompt name refers to a global prompt, DISPLAY permission is required on the specified prompt.
    • if the prompt name refers to a local prompt, DISPLAY permission is required on the specified job and job stream. If no job nor job stream is specified, the * wildcard is assumed.
    • if the prompt name starts with the * wildcard, DISPLAY permission is required on the specified prompt, job, and job stream. If no job nor job stream is specified, the * wildcard is assumed.

If the user does not have the required permission, the event rule is not saved and an error message is displayed.

For more information about configuring security, see Configuring user authorization (Security file).