Alternate ID Swapping for DB2 Binds, Under CA Endevor Change Manager

Document ID : KB000009569
Last Modified Date : 14/02/2018
Show Technical Document Details

Alternate ID Swapping for DB2 Binds, Under CA Endevor Change Manager


For sites using the ALTID who would like to extend this functionality to their DB2 binds, a few adjustments to their current bind processor(s) are needed. The coding of LGNT$$$I and LGNT$$$O statements in a processor's BIND step will automatically invoke the code to perform the swap to the Endevor Alternate ID (ALTID).

Sample processor steps:

//***************************************************************//*  BUILD A CLIST TO OPEN/CLOSE LGNT$$$ FILES AND DO THE BIND  *//***************************************************************//BINDCLST EXEC PGM=IEBGENER,MAXRC=4//SYSOUT DD SYSOUT=*//SYSPRINT DD SYSOUT=*//SYSIN DD DUMMY//SYSUT2 DD DSN=&C1USERID..&C1ELEMENT..BIND(BINDCLST),//          DISP=(NEW,PASS,DELETE),//          SPACE=(TRK,(1,1,1)),//          DCB=(RECFM=FB,LRECL=80,BLKSIZE=0)//SYSUT1 DD *PROC 0CONTROL MSG WRITE ** ALLOCATING FILES                                   ALLOC FILE(LGNT$$$I) DUMMY                                  ALLOC FILE(LGNT$$$O) DUMMY                                  WRITE ** SWAP ID TO ALTERNATE                               OPENFILE LGNT$$$I                                           WRITE ** BIND PLAN USING ALTERNATE ID DSN SYSTEM(DSN6)                                            BIND PLAN(SQLASM01) MEM(SQLASM01) VAL(RUN) ACT(REP) ISO(RR) END                                                         WRITE ** OPEN AND SWAP ID BACK TO USERS ORIGINAL ID         CLOSFILE LGNT$$$I                                           OPENFILE LGNT$$$O                                           CLOSFILE LGNT$$$O                                           FREE FILE(LGNT$$$I)     FREE FILE(LGNT$$$O)/*//*****************************************************************//*  BIND APPLICATION PLAN IF EXECUTING IN FOREGROUND             *//*  NOTE: ATTEMPTING TO RUN THIS STEP IN BG WILL RESULT IN RC=5  *//*****************************************************************//BINDFG  EXEC PGM=BC1PTMP0,MAXRC=5,COND=(4,LT),//    PARM='&C1USERID..&C1ELEMENT..BIND(BINDCLST)'//STEPLIB   DD DSN=&DB2LOAD,DISP=SHR//DBRMLIB   DD DSN=&DBRMLIB,DISP=SHR//SYSUDUMP  DD SYSOUT=&SYSOUT//*****************************************************************//*  BIND APPLICATION PLAN IF EXECUTING IN BACKGROUND             *//*****************************************************************//BINDBG  EXEC PGM=IKJEFT1B,COND=(5,NE,BINDFG),MAXRC=7//* IKJEFT1B WILL PASS DB2 RETURN CODES BACK TO THE CALLER//STEPLIB   DD DSN=&DB2LOAD,DISP=SHR//DBRMLIB   DD DSN=&DBRMLIB,DISP=SHR//SYSPROC   DD DSN=&C1USERID..&C1ELEMENT..BIND,DISP=SHR//SYSTSPRT DD SYOUT=*//SYSTSIN DD *%BINDCLST  //*


After the open of the LGNT$$$I file, the address space ASXBUSER will be the alternate id. After the open of the LGNT$$$O file, the address space ASXBUSER will be swapped back to the user's id. The open triggers this code. The main use of this feature is to allow binds of DB2 plans to occur under the control of the alternate id rather than the user's id, when the bind is occurring during processor execution.

Swapping the ASXBUSER ID does not impact security checks for RACF, ACF/2 or TOPSECRET. These products all check security at the task (TCB) level.

Notes: ASXBUSER is used as the DB2 primary authorization id and is a 7character field. If you are going to use this feature, it requires that the Endevor Alternate ID be the maximum of 7 characters long.

ASXBUSER is not used by RACF for determining the userid's membership in security groups. Usage of this feature requires that the Endevor alternate id be assigned the necessary DB2 authority to issue the bind. Attempts to use this feature by assigning the alternate id to a group that has the necessary authority will fail with DB2 authorization errors.

To successfully swap the ASXBUSER field back to the original value, it is necessary that the opens for the LGNT$$$I and LGNT$$$O files occur in the same processor step as the DSN subcommand.