Accessing Endevor Web Services results in a security violation. The Web Services Started Task (STC) log displays ICH408I and IEC150I 913-38 messages for ddname APIMSGS. A sample error message appears as follows: 

ICH408I USER(######) GROUP(#######) NAME(###################)  412
  SYS26141.T120510.RA000.<STC_name>.R0285870 CL(DATASET ) VOL(#######)
  INSUFFICIENT ACCESS AUTHORITY                              
  ACCESS INTENT(UPDATE )  ACCESS ALLOWED(NONE   )            
IEC150I 913-38,IFG0194E,<STC_name>,<step_name>,APIMSGS,1041,<volser>,  413
SYS26141.T120510.RA000.<stc_name>.R0285870                     

The Web Services STC dynamically allocates the APIMSGS ddname to a temporary dataset during initialization. This allocation occurs under the security context of the STC's own userid. When a client request arrives, the STC impersonates the client's userid to process the request. If the process attempts to write to the APIMSGS ddname, the open operation fails because the client's userid does not own the temporary dataset created by the STC. This typically occurs in environments where security settings protect temporary datasets.

1. Locate the C1DEFLTS table used by the Endevor environment.
2. Specify a public prefix in the MODHLI parameter.
3. Ensure the prefix allows "Update" or "Write" access for all users who access Web Services.
4. Assemble and link the updated C1DEFLTS table.
5. Wait for the Web Services STCs to spawn again so that they can pick up the new C1DEFLTS. Alternatively, restart the Tomcat STC 

By defining a MODHLI prefix, Endevor allocates these files as permanent datasets using the specified high-level qualifier. This prevents security violations during userid impersonation because the dataset name follows a predictable, authorized structure rather than being restricted to the STC owner.