Endevor Package actions not invoking external security
search cancel

Endevor Package actions not invoking external security

book

Article ID: 130110

calendar_today

Updated On:

Products

Endevor Endevor Natural Integration Endevor - ECLIPSE Plugin Endevor - Enterprise Workbench

Issue/Introduction

Having defined a security point for PACKAGE_ACTIONS in the NAMEQU external security (ESI) definitions

Noticed that the security package does NOT seem to receive any check for resources formatted by the PACKAGE_ACTIONS security point.

For example, CLASS parameter sets an incorrect class name so security checks would for sure fail, but no security failure is seen anywhere for package actions.

What can be the reason?

Environment

Release:
Component: ENDBAS

Resolution

This may be caused by the PKGSEC= setting in the C1DEFLTS table, as follows:

  • With PKGSEC=APPROVER, the PACKAGE_ACTIONS security point is not checked at all. The approvers of the package are the only users allowed to act on the package once it is cast
  • With PKGSEC=MIGRATE, approvers are allowed to act on the package without any external security check. Non-approvers are checked against PACKAGE_ACTIONS to see whether they can be allowed to act on the package
  • With PKGSEC=ESI, all package actions are checked against the PACKAGE_ACTIONS external security point regardless of whether the user is an approver. Additionally, the user needs to be an approver in order to approve or deny a package

Additional Information

To check PGKSEC= setting at runtime, take an options report by either

  • Adding //EN$TROPT DD SYSOUT=*,SPIN(NO) to any JCL that performs any endevor action
  • Issuing command TSO ALLOC FI(EN$TROPT) SYSOUT(X) SPIN(NO) before entering the Endevor ISPF dialog

The options report prints to EN$TROPT DD for the batch job or the TSO session showing the PKGSEC setting:

-------------------------- Package Processing Options --------------------------
Approval Reqd....Y                CAST Security.....N        Security...MIGRATE 
Foreground Exec..Y                INSPECT Security..N        Comp Validation...O
Generated High-lvl Index for Remote PKG JCL.........                            
Package Admin actions SMF recording.................Y                           

To 'see' whether ESI is checked for package actions, can take a trace by adding EN$TRESI DD using any of the above methods

The ESI checks performed under the PACKAGE_ACTIONS point show the caption "Format=0006" at the start of each entry.

Here is a sample entry with Format=0002 (PRIMARY_OPTIONS) to illustrate where the caption shows up

0 ENCS101I Format=0002 Pass=0000 Auth=READ ACEE=00000000 ENBISECR SECCRUTN+0005CC
  ENCS101I Class=£ENDEVOR Log=NONE   Func=RETRIEVE
  ENCS101I Scale=0....+....1....+....2....+....3....+....4....+....5....+....6
  ENCS101I Entity=P1.ENV1.PMENU.BATCHPKG
  ENCS101I User USER01   access is allowed  from SAF
Powered by Wolken Software