Web user profiles are maintained by the Web serving software. These user profiles are used by the Web Server to determine the authority levels against directories (or libraries) defined in the Web Server. For example, with full user authentication, the WWWCGI library is defined to require user authentication in the Web Server. In other words, Web user profiles are used by the Web Server. However, these user profiles are only used by the Web Server and they bear no relationship to IBM i user profiles. These are maintained separately.
IBM i user profiles are used to determine the authority level against IBM i objects. LANSA uses the IBM i user profile (not the Web user profile) to determine the authority level of the user.
LANSA Web provides a mapping facility between the Web user profiles and the IBM i user profiles so that you can map a Web user profile to an IBM i profile. This is a security feature since the Web user profile is the only user profile that is exposed. The IBM i user profile is not exposed at all. Since the Web user profile only allows you access to the Web Server and not IBM i objects, this LANSA Web facility provides you with an additional layer of security in your application. For example, you can change the authority level of the IBM i profile without changing any details of the Web user profile. You can even change the IBM i user profile mapped to a Web user profile.
As a security feature, it is strongly recommended that the Web and IBM i user profiles not be identical.
LANSA Web does not perform any object level authority checks. The object level authority checks are performed by LANSA. LANSA Web only provides you with a facility to map Web user profiles onto IBM i user profiles. In other words, when you run your Web enabled LANSA application, the object level authority checks are performed by LANSA. LANSA Web does not add or remove any of these authority checks from LANSA.