Use of CA Endevor SCM Alternate ID and USS
Article ID: 49368
Updated On:
Products
Issue/Introduction
When using a USS Base Library, Endevor source management accesses the library using the alternate ID. Endevor also uses the alternate ID when it accesses a USS Source Output Library in the Endevor reserved processors BASICGEN and BASICDEL.
Environment
Release: 18.0 18.1
Component: Endevor Software Change Manager
Resolution
When using a USS Base Library, Endevor source management accesses the library using the alternate ID.Endevor also uses the Alternate ID when it accesses a USS Source Output Library in the Endevor reserved processors BASICGEN and BASICDEL.
Processor Step Execution Security Context
- Processor steps are executed, by default, under the security context of the Endevor Alternate ID.
- When the "ALTID=N" parameter is specified on the processor step, the step is executed under the security context of the userid rather than the Endevor Alternate id.
The security context used for USS file access in processor steps is determined by the above. USS data sets created in processor steps using PATHOPTS=(OCREAT) are created using the security context of the user ID, prior to the invocation of the processor program. When used in the processor step, these data sets are opened using the security context of the processor step.
Using EXEC PGM=BPXBATCH in a processor step
The security context of a processor step executing the IBM USS utility program BPXBATCH depends on the following factors:
- Whether BPXBATCH runs a shell scrip (PARM='SH') or directly executes an executable file (PARM='PGM').
- The settings of Environment variables _BPX_BATCH_SPAWN and _BPX_SHAREAS.
We recommend BPXBATCH be invoked directly as processor step.
Table-1 shows combinations of these parameters and settings with the resulting security context of the processor step executing BPXBATCH:
| BPXBATCH parameter | _BPX_BATCH_SPAWN | _BPX_SHAREAS | Security context |
| SH | Any | Any | Alternate ID |
| PGM | NO | n/a | Alternate ID |
| PGM | YES | NO | Alternate ID |
| PGM | YES | YES | User ID |
Table-1
Calling BPXBATCH in an IKJEFT01 processor step
Note: We do not recommend the use of BPXBATCH in an IKJEFT01 step, because the results can be unpredictable.
Whether BPXBATCH invoked by a CLIST or REXX in a processor step executing IKJEFT01 executes under the context of the alternate ID depends on the following two additional factors:
- Whether or not a LGNT$$$I swap was performed prior to the invocation of BPXBATCH.
- Whether or not a prior USS service call was made in the job step prior to the BPXPBATCH call. For example, the prior USS service call could occur when a USS Base or Source Output Library was used during the Endevor job step, or when a shell script was executed in this or any prior Endevor action.
Table-2 shows the Security context results from these two additional factors when calling BPXBATCH from a processor step that executes IKJEFT01:
| LGNT$$$I swap performed | Prior USS Service call made | Security context |
| Yes | No | Alternate ID |
| Yes | Yes | failure |
| No | No | User ID |
| No | Yes | User ID |
Table-2
Use of BPXBATSL, BPXBATA2 and BPXBATA8
These three programs always run under the context of the user ID, because they process requests in the same manner as the last row in table-1 (_BPX_BATCH_SPAWN=YES, _BPX_SHAREAS=YES).
Feedback
