ESI Security problem with Package CAST
search cancel

ESI Security problem with Package CAST

book

Article ID: 140354

calendar_today

Updated On:

Products

Endevor

Issue/Introduction

Need to setup Endevor so at cast time it will verify if the user has access to perform the action(s) in the package  - I have PKGSEC=ESI set but it is not working why? 

Environment

All Supported Releases 

Resolution

In the C1DEFLTS table, set PKGSEC= to PKGSEC=ESI. If PKGSEC=ESI is set in the C1DEFLTS table, all package actions except for APPROVAL will be performed through ESI. To approve a package, a user must still be a member of an approver group -- Internal or External.           

NOTE: If NO Approver groups are related to an inventory area, then the   package will be automatically approved. Also, QUORUM must be set to 1 or more to ensure someone from the approver group reviews the package, otherwise the package will be considered automatically approved by that group.  

In the C1DEFLTS table, there is a parameter, PKGCSEC=.   PKGCSEC indicates whether actions should be checked at package cast time, to decide whether the person casting the package has the authority to perform all actions contained in that package.         

     - If PKGCSEC is set to Y, Endevor checks each action. 
     - If the person is not authorized to perform all actions, he/she cannot cast the package
     - If PKGCSEC is set to N, no action security check takes place and the package can be case.  
                                  

In the BC1TNEQU table, define what level of security is needed to perform the Package Action. Currently you do not have this defined. Here is what you currently have: 

*********************************************************************** 
*        MAP E/MVS AUTHORITIES TO SAF AUTHORITIES FOR                 * 
*        ACTION_INITIATION AND PACKAGE_ACTIONS FORMAT CALLS.          * 
*        NOTE: ENVIRONMENT_ACCESS, PRIMARY_OPTIONS, FOREGROUND_OPTIONS* 
*              AND CONCURRENT_ACT_PROC FORMAT CALLS ALWAYS USE READ   * 
*              AUTHORITY AND CANNOT BE MODIFIED.                      * 
*********************************************************************** 
         FUNCEQU SAFAUTH=READ,                                         X
               C1ACTNS=(DISPLAY,RETRIEVE,SIGNIN)                        
         FUNCEQU SAFAUTH=UPDATE,                                       X
               C1ACTNS=(ADD,UPDATE,GENERATE)                            
         FUNCEQU SAFAUTH=CONTROL,                                      X
               C1ACTNS=(MOVE,SIGNOVR,ARCHIVE,DELETE)                    
         FUNCEQU SAFAUTH=ALTER,                                        X
               C1ACTNS=(ENVRNMGR)                                       
         FUNCEQU TYPE=END                       

In Order to make this work set up SAF Authorities. The SAF Authorities for packages are:
                 
PBACKOUT,PCAST,PCOMMIT,PCREATE,PDISPLAY,PDYNAMIC,PEXECUTE,PLIST,PMODIFY,PREVIEW,PSHIP,and PUTILITY

Below is an example of what your SAFAUTHS can look like:

*********************************************************************** 
*        MAP E/MVS AUTHORITIES TO SAF AUTHORITIES FOR                 * 
*        ACTION_INITIATION AND PACKAGE_ACTIONS FORMAT CALLS.          * 
*        NOTE: ENVIRONMENT_ACCESS, PRIMARY_OPTIONS, FOREGROUND_OPTIONS* 
*              AND CONCURRENT_ACT_PROC FORMAT CALLS ALWAYS USE READ   * 
*              AUTHORITY AND CANNOT BE MODIFIED.                      * 
*********************************************************************** 
         FUNCEQU SAFAUTH=READ,                                         +
               C1ACTNS=(DISPLAY,RETRIEVE,SIGNIN,                       +
               PBACKOUT,PCAST,PCOMMIT,PCREATE,PDISPLAY,PDYNAMIC,       +
               PEXECUTE,PLIST,PMODIFY,PREVIEW,PSHIP,                   +
               PUTILITY,RETRIEVE)                                       
         FUNCEQU SAFAUTH=UPDATE,                                       +
               C1ACTNS=(ADD,UPDATE,GENERATE)                            
         FUNCEQU SAFAUTH=CONTROL,                                      +
               C1ACTNS=(MOVE,SIGNOVR,ARCHIVE,DELETE)                    
         FUNCEQU SAFAUTH=ALTER,                                        +
               C1ACTNS=(ENVRNMGR)                                      

Next, ensure that you have Security rules setup based on the below SAF Dataset: 

 

         NAMEQU PACKAGE_ACTIONS,                                       X
               L1=('C1'),                                              X
               L2=('PACKAGE'),                                         X
               L3=(MENUITEM),                                          X
               L4=(PKGSUBFC),                                          X
               L5=(PKGID)            

Here is an example of a cast pseudo dataset that gets passed to TSS/RACF/ACF2 - C1.PACKAGE.CAST.CAST.PACKAGENAME

Here an example of what you would see in the ESITRACE:

       Format=0006 Pass=0000 Auth=READ ACEE=00000000 BC1PPKEX PKGSECXI+00A5BE
       Class=DATASET  Log=NONE   Func=PCAST                                 
       Scale=0....+....1....+....2....+....3....+....4....+....5....+....6  
       Entity=C1.PACKAGE.CAST.CAST.PACKAGE1                                
       User USER123  access is allowed  from SAF                            
       

After you have set up the C1DEFTLS, BC1TENQU and your security rules to ensure that everything is working you can enable the ESI trace in foreground with the %ESITRACE START or in batch by adding the following dd statements:

//BSTERR DD SYSOUT=*
//EN$TRESI DD SYSOUT=*

 

 

Powered by Wolken Software