Alternate ID Swapping for DB2 Binds, Under CA Endevor Change Manager

Document ID : KB000009569
Last Modified Date : 23/07/2018
Show Technical Document Details
Introduction:

Alternate ID Swapping for DB2 Binds, Under CA Endevor Change Manager

Instructions:
For sites using the ALTID who would like to extend this functionality to their DB2 binds, a few adjustments to their current bind processor(s) are needed.
The coding of LGNT$$$I and LGNT$$$O statements in a processor's BIND step will automatically invoke the code to perform the swap to the Endevor Alternate ID (ALTID).

Sample processor steps:

//***************************************************************
//*  BUILD A CLIST TO OPEN/CLOSE LGNT$$$ FILES AND DO THE BIND  *
//***************************************************************
//BINDCLST EXEC PGM=IEBGENER,MAXRC=4
//SYSOUT     DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSIN         DD DUMMY
//SYSUT2   DD DSN=&C1USERID..&C1ELEMENT..BIND(BINDCLST),
//          DISP=(NEW,PASS,DELETE),
//          SPACE=(TRK,(1,1,1)),
//          DCB=(RECFM=FB,LRECL=80,BLKSIZE=0)
//SYSUT1 DD *
PROC 0
CONTROL MSG
WRITE ** ALLOCATING FILES                                  
ALLOC FILE(LGNT$$$I) DUMMY                                 
ALLOC FILE(LGNT$$$O) DUMMY                                 
WRITE ** SWAP ID TO ALTERNATE                              
OPENFILE LGNT$$$I                                          
WRITE ** BIND PLAN USING ALTERNATE ID DSN SYSTEM(DSN6)                                           
BIND PLAN(SQLASM01) MEM(SQLASM01) VAL(RUN) ACT(REP) ISO(RR) END                                                        
WRITE ** OPEN AND SWAP ID BACK TO USERS ORIGINAL ID        
CLOSFILE LGNT$$$I                                          
OPENFILE LGNT$$$O                                          
CLOSFILE LGNT$$$O                                          
FREE FILE(LGNT$$$I)    
FREE FILE(LGNT$$$O)
/*
//* Change SQLASM01 by plan name (Use &C1ELEMENT or other symbolic)
//*****************************************************************
//*  BIND APPLICATION PLAN IF EXECUTING IN FOREGROUND             *
//*  NOTE: ATTEMPTING TO RUN THIS STEP IN BG WILL RESULT IN RC=5  *
//*****************************************************************
//BINDFG  EXEC PGM=BC1PTMP0,MAXRC=5,COND=(4,LT),
//    PARM='&C1USERID..&C1ELEMENT..BIND(BINDCLST)'
//STEPLIB  DD DSN=&DB2LOAD,DISP=SHR
//DBRMLIB  DD DSN=&DBRMLIB,DISP=SHR
//SYSUDUMP DD SYSOUT=&SYSOUT
//*****************************************************************
//*  BIND APPLICATION PLAN IF EXECUTING IN BACKGROUND             *
//*****************************************************************
//BINDBG  EXEC PGM=IKJEFT1B,COND=(5,NE,BINDFG),MAXRC=7
//* IKJEFT1B WILL PASS DB2 RETURN CODES BACK TO THE CALLER
//STEPLIB  DD DSN=&DB2LOAD,DISP=SHR
//DBRMLIB  DD DSN=&DBRMLIB,DISP=SHR
//SYSPROC  DD DSN=&C1USERID..&C1ELEMENT..BIND,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
%BINDCLST 
//*


After the open of the LGNT$$$I file, the address space ASXBUSER will be the alternate id.
After the open of the LGNT$$$O file, the address space ASXBUSER will be swapped back to the user's id.
The open triggers this code.
The main use of this feature is to allow binds of DB2 plans to occur under the control of the alternate id rather than the user's id, when the bind is occurring during processor execution.

Swapping the ASXBUSER ID does not impact security checks for RACF, ACF/2 or TOPSECRET.
These products all check security at the task (TCB) level.

Notes: ASXBUSER is used as the DB2 primary authorization id and is a 7character field. If you are going to use this feature, it requires that the Endevor Alternate ID be the maximum of 7 characters long.

ASXBUSER is not used by RACF for determining the userid's membership in security groups.
Usage of this feature requires that the Endevor alternate id be assigned the necessary DB2 authority to issue the bind. Attempts to use this feature by assigning the alternate id to a group that has the necessary authority will fail with DB2 authorization errors.

To successfully swap the ASXBUSER field back to the original value, it is necessary that the opens for the LGNT$$$I and
LGNT$$$O files occur in the same processor step as the DSN subcommand.