Security issue when the AltID is used as HLQ in processor.
search cancel

Security issue when the AltID is used as HLQ in processor.


Article ID: 52341


Updated On:


Bind Analyzer for DB2 for z/OS SQL-Ease for DB2 for z/OS SYSVIEW Performance Management Option for DB2 for z/OS Plan Analyzer for DB2 for z/OS Subsystem Analyzer for DB2 for z/OS PanAudit Plus Easytrieve Report Generator PAN/SQL Endevor Endevor Natural Integration Endevor - ECLIPSE Plugin Endevor - Enterprise Workbench


Security violations for JES2 files are created in processors with the Alternate ID as high level qualifier.

JES2 files defined in a processor step are opened under the User ID. Since these files are also created with the User ID as the high level qualifier, there are generally no security issues.

However, if a JES2 file is dynamically allocated by a program that is being executed in a processor it is created with the Alternate ID as the high level qualifier and, since it is still opened by the User ID, this can lead to security violations if the user is not authorized to update files with that high level qualifier.

Generally, the violation messages will include an IEC150I 913-74 message pointing to the file (DD name) in question.


All versions of Endevor



This problem is most commonly seen with Compuware's XPEDITER program, which dynamically allocates its CWPERRM and CWPCPIN files, but there have been other instances as well.


There are 2 possible solutions for this problem:

  1. Hard-code the offending DD name(s) in the processor. In the XPEDITER case, for example, you would simply code //CWPERRM DD SYSOUT=* and //CWPCPIN DD SYSOUT=* in the processor step.

  2. Add ALTID=N to the EXEC statement of the step concerned, to have it run under User ID security instead of Alternate ID security. A consequence of this method is that the User ID would also need authority to access any other data sets that might be referenced in that step.