Security issue when the AltID is used as HLQ in processor.
search cancel

Security issue when the AltID is used as HLQ in processor.

book

Article ID: 52341

calendar_today

Updated On:

Products

Bind Analyzer for DB2 for z/OS SQL-Ease for DB2 for z/OS SYSVIEW Performance Management Option for DB2 for z/OS Plan Analyzer for DB2 for z/OS Subsystem Analyzer for DB2 for z/OS PanAudit Plus Easytrieve Report Generator PAN/SQL Endevor Endevor Natural Integration Endevor - ECLIPSE Plugin Endevor - Enterprise Workbench

Issue/Introduction

Security violations for JES2 files are created in processors with the Alternate ID as high level qualifier.

JES2 files defined in a processor step are opened under the User ID. Since these files are also created with the User ID as the high level qualifier, there are generally no security issues.

However, if a JES2 file is dynamically allocated by a program that is being executed in a processor it is created with the Alternate ID as the high level qualifier and, since it is still opened by the User ID, this can lead to security violations if the user is not authorized to update files with that high level qualifier.

Generally, the violation messages will include an IEC150I 913-74 message pointing to the file (DD name) in question.

Environment

All versions of Endevor

 

Cause

This problem is most commonly seen with Compuware's XPEDITER program, which dynamically allocates its CWPERRM and CWPCPIN files, but there have been other instances as well.

Resolution

There are 2 possible solutions for this problem:

  1. Hard-code the offending DD name(s) in the processor. In the XPEDITER case, for example, you would simply code //CWPERRM DD SYSOUT=* and //CWPCPIN DD SYSOUT=* in the processor step.

  2. Add ALTID=N to the EXEC statement of the step concerned, to have it run under User ID security instead of Alternate ID security. A consequence of this method is that the User ID would also need authority to access any other data sets that might be referenced in that step.