search cancel

ESI Calls for "Delete from Source" Location

book

Article ID: 229113

calendar_today

Updated On:

Products

Endevor Software Change Manager (SCM)

Issue/Introduction

When performing a Transfer from STG2 TO STG2 W/DELETE BEHIND it appears that there are no calls made by ESI  to secure the Delete from Source Location.  

C1.env.sys.subs.type.V.TRANSFER.MOVE
C1.env.sys.subs.type.V.TRANSFER.MOVE 
 

For the transfer with the DELETE from the SOURCE LOCATION 

C1G0202I  ACTION #1 / STMT #2                                                  
C1G0203I     TRANSFER ELEMENT ELEMENT4                                        
C1G0211I        VERSION 01 LEVEL 00                                            
C1G0204I        FROM ENVIRONMENT: TESTENV  SYSTEM: SYSTEM1  SUBSYSTEM: SUBS2  
C1G0204I        TO   ENVIRONMENT: TESTENV  SYSTEM: SYSTEM1  SUBSYSTEM: SUBS1  
C1G0232I        OPTIONS:  WITH HISTORY, SIGNIN                                
C1G0232I                  CCID: DECLINK                                        
C1G0232I                  COMMENT: TEST TRANSFER                              
C1E0107I  USER PILRO01 RESTRICTED FROM FUNC MOVE RESOURCE EN.TESTENV.SYSTEM1.SU
C1G0265I  PROCESSOR GROUP *NOPROC* FOR THIS ELEMENT WAS OBTAINED FROM SECONDARY
C1E0107I  USER PILRO01 RESTRICTED FROM FUNC MOVE RESOURCE EN.TESTENV.SYSTEM1.SU
SMGR122W  NO ELEMENT SOURCE CHANGES DETECTED                                  
SMGR129I  ELEMENT VVLL 0100 NOT UPDATED AT VAL                                
C1G0265I  PROCESSOR GROUP *NOPROC* FOR THIS ELEMENT WAS OBTAINED FROM PRIMARY E
SMGR112I  ELEMENT VVLL 0100 DELETED FROM LOCATION TESTENV/V/SYSTEM1/SUBS2/DECLI
C1G0200I  ELEMENT ACTION REQUEST PROCESSING COMPLETED, HIGHEST ENDEVOR RC WAS 0

The BC1TNEQU Table is currently set up as follows for Action_Initiation: 

NAMEQU ACTION_INITIATION,
      L1=('EN'),         
      L2=(ENVIRONMENT),  
      L3=(SYSTEM),       
      L4=(SUBSYSTEM),    
      L5=(TYPE),         
      L6=(STAGEID),      
      L7=(MENUITEM),     
      L8=(MENUAUTH),     
      L9=(ALTERFLD),     
      LOG=NONE           

Is there a way that we can stop a user from Deleting at the source location when the option is available? 

Environment

Release : 18.0, 18.1 

Component : Endevor Software Change Manager

Resolution

A new option has been written to address this problem and is available via PTF.  

18.1 LU03349
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=LU03349&os=z/OS

18.0.12 LU03350
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=LU03350&os=z/OS

ENHANCEMENT DESCRIPTION:
This enhancement introduces a new option in the ENCOPTBL table,
SEC_ALTERNATIVE_MENUAUTH, which affects the behavior of the security.
Depending on circumstances, it affects how and whether exit point 1 calls
during action initiation are done, and, if the External Security Interface
(ESI) is active, it affects how and whether action initiation ESI security
control points are called. Exit point 1 calls and ESI security control point
calls are closely tied and thus are affected by this option the same way.
In the text below, exit point 1 calls and ESI security control point calls
are referred to simply as security calls.
 
The default behavior of the security (i.e. when this option is off) has
the following idiosyncrasies:
  1) For certain actions, the value of the ESI keyword "MENUAUTH",
     its synonym keyword "ACTION", and the corresponding exit field "ECBFUNC"
     depends on the stage where the action occurs. The value might be
     different for stage #1 or entry stage versus non-entry stage #2.
  2) For the archive action and the move action, ESI security checks are not
     able to distinguish if the implicit delete of the element in the source
     location is going to occur or if the "Bypass Element Delete" option was
     specified.
This may result in insufficient granularity or even the inability to define
proper security rules.
 
When this option is on, the behavior changes as follows:
  1) The value of MENUAUTH/ACTION/ECBFUNC does not depend on the stage.
  2) For the archive action and the move action, security calls for
     the source location use the MENUAUTH/ACTION/ECBFUNC value "DELETE"
     if the "Bypass Element Delete" option was not specified; otherwise,
     the value "RETRIEVE" is used.
 
The following table summarizes all actions affected by this option.
This option has no effect on action/stage/options combinations not
specifically mentioned in the table.
 

(*) - This security call is done only if the SEC_MOVE_TARGET option is on.
      Options SEC_ALTERNATIVE_MENUAUTH and SEC_MOVE_TARGET are independent of
      each other.
 
Notes:
- With this option turned on, the MENUAUTH/ACTION/ECBFUNC value can never be
  "ARCHIVE" or "MOVE".
- The ESI keyword "MENUITEM" and the corresponding exit field "ECBFUNAM"
  always contain the real action name and can be used to refine security
  rules.

Attachments