After the cast of a package a user is trying to performing an action against a package. A job failed with error -
"PKEX500E PACKAGE PROCESSING DENIED BY SECURITY EXIT RC(000C) RSN(0000)"
and the EN$TRESI trace doesn't show error.
Release: All supported versions of Endevor
As the ESI trace indicates, this is not an ESI issue. Then it is probably an Approver issue.
In this particular situation, the C1DEFLTS has the PKGSEC option set to APPROVER
When PKGSEC=APPROVER the user performing an action against a package must be an approver of this package.
But with this option, if none of the users that were an approver of a package can't perform the action anymore for any reason(for example if they leave the company), nobody else can perform the action.
Using the Endevor External Security Interface (ESI) to control access to Endevor Package actions as opposed to Package approver authority best addresses the situation where approvers of a package may no longer work at the company.
ESI eliminates the needs for approvers being the only user allowed to perform actions against a package after it is CAST.
It will allows modifications for situations where employees leave the company. Because security rules are defined only in the security product (CA ACF2, CA Top Secret, RACF) they will be updated as part of your normal process.
Endevor is working as designed and the PKGSEC=ESI option would address the issue raised.
If you still use the internal APPROVER group, i.e. APPROVER group defined in Endevor option "APPROVER GROUP" from "Environment Options Menu", use the C1DEFLTS option PKGSEC=MIGRATE
The solution in this scenario is to edit the C1DEFLTS, change PKGSEC=APPROVER to PKGSEC=MIGRATE or PKGSEC=ESI and recompile the C1DEFLTS to activate the new option.
PKGSEC= is an option in the C1DEFLTS Table that indicates the type of security that will control package actions after CAST.
These options are different in that:
- PKGSEC=APPROVER allows you to restrict package actions through approver groups.
- With PKGSEC=ESI in the C1DEFLTS table, all package actions, including APPROVAL invoke ESI.
To approve a package, the user must be a member of the approver group whether it is an internal or external group.
If you are a member of the approver group, an ESI call is made to check if you are authorized to perform the REVIEW action.
You can perform the action if you are authorized, otherwise the action is denied.
Note: If No approval groups are related to an inventory location, the package is automatically approved. QUORUM must be set to one or more.
- PKGSEC=MIGRATE - Once a package is created, cast and approved the rules for ESI are invoked.
The first security call after the package is approved is a call to the approver group.
If you are a member of the approver group, the package action is allowed.
If you are not a member of the approver group, an ESI call is made to see if you are authorized to perform the action.
If you are authorized, the action is granted.
If you are not authorized, the action is denied.