Security violations when JES2 files are created in processors with the Alternate ID as high level qualifier.

book

Article ID: 52341

calendar_today

Updated On:

Products

CA 2E CA Bind Analyzer for DB2 for z/OS CA SQL-Ease for DB2 for z/OS CA Sysview Performance Management Option for DB2 for z/OS CA Plan Analyzer for DB2 for z/OS CA Subsystem Analyzer for DB2 for z/OS CA PanAudit Plus CA Easytrieve Report Generator CA PAN/SQL CA Endevor Software Change Manager (SCM) CA Endevor Software Change Manager - Natural Integration (SCM) CA Endevor Software Change Manager - ECLIPSE Plugin (SCM) CA Endevor Software Change Manager - Enterprise Workbench (SCM)

Issue/Introduction

JES2 files defined in a processor step are opened under the User ID. Since these files are also created with the User ID as the high level qualifier, there are generally no security issues.

However, if a JES2 file is dynamically allocated by a program that is being executed in a processor it is created with the Alternate ID as the high level qualifier and, since it is still opened by the User ID, this can lead to security violations if the user is not authorized to update files with that high level qualifier.

Generally, the violation messages will include an IEC150I 913-74 message pointing to the file (DD name) in question.

Cause

This problem is most commonly seen with Compuware's XPEDITER program, which dynamically allocates its CWPERRM and CWPCPIN files, but there have been other instances as well.

Environment

Release:
Component: C21E

All versions of Endevor

 

Resolution

There are 2 possible solutions for this problem:

  1. Hard-code the offending DD name(s) in the processor. In the XPEDITER case, for example, you would simply code //CWPERRM DD SYSOUT=* and //CWPCPIN DD SYSOUT=* in the processor step.

  2. Add ALTID=N to the EXEC statement of the step concerned, to have it run under User ID security instead of Alternate ID security. A consequence of this method is that the User ID would also need authority to access any other data sets that might be referenced in that step.