The CA Endevor package ship option for the confirmation is not working correctly.

Document ID : KB000015042
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

The Endevor ship setup was defined as:

The RACF option of batchallracf was defined to the host:  What does this mean?

When you specify BATCHALLRACF, any batch job that does not have a RACF-defined user specified on the USER parameter of the JOB statement, or propagated security information associated with it, fails.

Specifying NOBATCHALLRACF allows such jobs to run.
 
To prevent unauthorized users from running batch jobs, enter the following:
SETROPTS JES(BATCHALLRACF)

RACF was getting a security violation when using the alternate user id or the user id defined in the package ship.

This was causing a deadly embrace since they could not run the confirmation at all.

 

Question:

How do i get around the problem of having the batchallracf and the ids not being allowed to
have access through RACF to run the confirmation step?

Answer:

This setup allows the confirmation to work correctly:

Issue the following RACF commands to the RACFVARS class to make RACF treat PRD2 as a local
node to DEV8 (and visa versa).

On the PRD2 LPAR issue the following:
RALT RACFVARS &RACLNDE ADDMEM(DEV8)

On the DEV8 LPAR issue the following:
RALT RACFVARS &RACLNDE ADDMEM(PRD1)
RALT RACFVARS &RACLNDE ADDMEM(PRD2)

The problem came down to not having NJE set up to go from the production LPAR
back to the development LPAR