APF-authorize Endevor V18.1 user exits required?
Article ID: 216876
Updated On:
Products
Endevor
Issue/Introduction
According to the V18.1 Release Notes, it clearly states that the user exit must reside in an APF-authorized library --
See:
https://techdocs.broadcom.com/us/en/ca-mainframe-software/devops/ca-endevor-software-change-manager/18-1/release-notes.html#concept.dita_436797bdce00e3d88c66387de9a84280ea0ae162_InstallationRequirements
However in the Exit Reference makes it sound like it is optional:
https://techdocs.broadcom.com/us/en/ca-mainframe-software/devops/ca-endevor-software-change-manager/18-1/api-and-user-exits-reference/exits-reference.html#concept.dita_4514e779-7ba7-4f8a-a31d-823091bd72cc_StoreUserExits
Which is it?
Environment
Release : 18.1
Component : CA Endevor Software Change Manager
Resolution
The long term goal is to disallow exits from non-APF libraries. However, that's a compatibility issue, therefore, AUTH=NO is still supported.
Broadcom strongly recommends NOT to put Endevor exits in a library that's part of the CONLIB DD because it's a data integrity exposure.
There is also a common misunderstanding about APF-authorized libraries. First, an APF-authorized library has to be protected with proper security rules. Second, executing a program out of an authorized library doesn't mean that the program runs with authorization. APF-authorization means that reentrant programs will be loaded in protected storage to make sure that the code path can't be changed. In Endevor, the CALLAPF=YES parameter means that the exit will run authorized only if it was linked with AC(1).
In short, APF-authorization is a protection mechanism that exists to guarantee data and system integrity. It should be used, not avoided.
Feedback
Yes
No
Powered by
