Setting up technical User in Endevor Bridge for Git

Products

Endevor

Issue/Introduction

This knowledge base article outlines the problems related to having mapping administrators associated with real users from a credentials perspective. It highlights the needs for provisioning and using technical users, it also shows the configuration options available in Bridge for Git for more enhanced security.

Environment

Endevor V19

Endevor Bridge for Git 2.8.8

Cause

Among the roles in Bridge for Git, the mapping administrator has the most important responsibilities as the person that manages the mappings for development teams to work with. As a result, the mapping administrator’s user and credentials are the most important things to plan and manage.

When a mapping administrator creates a mapping, their username and credentials are connected to all the sync-back updates, or commits, going from Endevor to git. Note that mapping administrators must have at the least read access to the Endevor inventory that they are mapping.

This has several potential problems when you use the basic setup of Bridge for Git, meaning you set up Endevor Connections and require only username and password:

Wider access to Endevor inventories
Connecting a real user’s credentials to an Endevor connection means full access to the Endevor inventory within the scope of individual’s permissions, compared to, for example, single purpose tokens.
Unclear audit from Endevor side and traceability of changes in git

As the sync-back commits retrieve any recent changes under the mapping administrator, many requests would show up on the mainframe side from a singular person. Similarly, the git repository could become cluttered with commits from a single user, especially if the enhanced traceability feature is not used. This means that any productivity scanning tools you may use could be confused by the large number of commits from a single user, most of which were not theirs in the first place.

Completely blockage of work

If the mapping administrator’s credentials expire and are not updated, mappings will not be updated with the latest changes from Endevor. This means that developers working in git would be out of sync and would encounter many revert situations.

Resolution

In order to mitigate these problems, we highly recommend creating a technical user that can represent the Bridge for Git application itself instead of a real user. The following options illustrate the levels of control you can achieve using a technical user and taking advantage of advanced configuration options with Endevor Web Services and the Zowe API Mediation Layer.

Provision a technical user to be used as a mapping administrator
Provision a technical user that has read-only access to the Endevor inventories and use this technical user to create and own some or all mappings (for a team, multiple mappings, the entire server, etc.)
Provision a technical user to be used as a mapping administrator AND use Endevor tokens (Passtickets)
In addition to the above, store only the generated passticket for the technical user in the Bridge for Git database, rather than any credentials.
(Best Option) Set up API ML and configure Endevor Connections with certificates for mapping owners, which are technical users. Optionally configure PAT login for developers.
Zowe API Mediation Layer with Endevor Web Services integrated means that you can generate certificates and associate them with users. From a Bridge for Git standpoint, this means:

- You can have a long-lasting certificate connected to a mapping administrator, significantly minimizing the possibility of sync-back failing from invalid credentials
- Since the mapping administrator is connected to a service account, it is easy to exclude the username from any scanning tools or processes you have set up in your git server
- Similarly, you can specify that the technical user merely have read access to Endevor directly, thus ensuring that nothing more is ever retrieved from or done with Endevor inventories