APF-authorize Endevor V18.1 user exits required?
search cancel

APF-authorize Endevor V18.1 user exits required?


Article ID: 216876


Updated On:




According to the V18.1 Release Notes, it clearly states that  the user exit must reside in an APF-authorized library -- 
However in the Exit Reference  makes it sound like it is optional: 


Which is it?


Release : 18.1

Component : CA Endevor Software Change Manager


The long term goal is to disallow exits from non-APF libraries. However, that's a compatibility issue, therefore, AUTH=NO is still supported.
Broadcom strongly recommends NOT to put Endevor exits in a library that's part of the CONLIB DD because it's a data integrity exposure.
There is also a common misunderstanding about APF-authorized libraries. First, an APF-authorized library has to be protected with proper security rules. Second, executing a program out of an authorized library doesn't mean that the program runs with authorization. APF-authorization means that reentrant programs will be loaded in protected storage to make sure that the code path can't be changed. In Endevor, the CALLAPF=YES parameter means that the exit will run authorized only if it was linked with AC(1).
In short, APF-authorization is a protection mechanism that exists to guarantee data and system integrity. It should be used, not avoided.