search cancel

Use of CA Endevor SCM Alternate ID and USS

book

Article ID: 49368

calendar_today

Updated On:

Products

Endevor Software Change Manager (SCM)

Issue/Introduction

When using a USS Base Library, Endevor source management accesses the library using the alternate ID. Endevor also uses the alternate ID when it accesses a USS Source Output Library in the Endevor reserved processors BASICGEN and BASICDEL.

 

Environment

Release: 18.0 18.1 
Component: Endevor Software Change Manager 

Resolution

When using a USS Base Library, Endevor source management accesses the library using the alternate ID.Endevor also uses the Alternate ID when it accesses a USS Source Output Library in the Endevor reserved processors BASICGEN and BASICDEL.

Processor Step Execution Security Context

  1. Processor steps are executed, by default, under the security context of the Endevor Alternate ID.

  2. When the "ALTID=N" parameter is specified on the processor step, the step is executed under the security context of the userid rather than the Endevor Alternate id.

The security context used for USS file access in processor steps is determined by the above.  USS data sets created in processor steps using PATHOPTS=(OCREAT) are created using the security context of the user ID, prior to the invocation of the processor program. When used in the processor step, these data sets are opened using the security context of the processor step.

 

Using EXEC PGM=BPXBATCH in a processor step

The security context of a processor step executing the IBM USS utility program BPXBATCH depends on the following factors:

  • Whether BPXBATCH runs a shell scrip (PARM='SH') or directly executes an executable file (PARM='PGM').

  • The settings of Environment variables _BPX_BATCH_SPAWN and _BPX_SHAREAS.

We recommend BPXBATCH be invoked directly as processor step.

Table-1 shows combinations of these parameters and settings with the resulting security context of the processor step executing BPXBATCH:

BPXBATCH parameter _BPX_BATCH_SPAWN _BPX_SHAREAS Security context
SH Any Any Alternate ID
PGM NO n/a Alternate ID
PGM YES NO Alternate ID
PGM YES YES User ID

 

Table-1

Calling BPXBATCH in an IKJEFT01 processor step

Note: We do not recommend the use of BPXBATCH in an IKJEFT01 step, because the results can be unpredictable.

Whether BPXBATCH invoked by a CLIST or REXX in a processor step executing IKJEFT01 executes under the context of the alternate ID depends on the following two additional factors:

  • Whether or not a LGNT$$$I swap was performed prior to the invocation of BPXBATCH.

  • Whether or not a prior USS service call was made in the job step prior to the BPXPBATCH call. For example, the prior USS service call could occur when a USS Base or Source Output Library was used during the Endevor job step, or when a shell script was executed in this or any prior Endevor action.

Table-2 shows the Security context results from these two additional factors when calling BPXBATCH from a processor step that executes IKJEFT01:

LGNT$$$I swap performed Prior USS Service call made Security context
Yes No Alternate ID
Yes Yes failure
No No User ID
No Yes User ID

 

Table-2

Use of BPXBATSL, BPXBATA2 and BPXBATA8

These three programs always run under the context of the user ID, because they process requests in the same manner as the last row in table-1 (_BPX_BATCH_SPAWN=YES, _BPX_SHAREAS=YES).