Use of CA Endevor SCM Alternate ID and USS

Document ID : KB000049368
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When using a USS Base Library, CA Endevor SCM source management accesses the library using the alternate ID. CA Endevor SCM also uses the alternate ID when it accesses a USS Source Output Library in the CA Endevor SCM reserved processors BASICGEN and BASICDEL.

Solution:

When using a USS Base Library, CA Endevor SCM source management accesses the library using the alternate ID.

CA Endevor SCM also uses the alternate ID when it accesses a USS Source Output Library in the CA Endevor SCM reserved processors BASICGEN and BASICDEL.

Processor Step Execution Security Context

  1. Processor steps are executed, by default, under the security context of the CA Endevor SCM alternate ID.

  2. When the "ALTID=N" parameter is specified on the processor step, the step is executed under the security context of the userid rather than the CA Endevor SCM alternate id.

The security context used for USS file access in processor steps is determined by the above.

USS data sets created in processor steps using PATHOPTS=(OCREAT) are created using the security context of the user ID, prior to the invocation of the processor program. When used in the processor step, these data sets are opened using the security context of the processor step.

Using EXEC PGM=BPXBATCH in a processor step

The security context of a processor step executing the IBM USS utility program BPXBATCH depends on the following factors:

  • Whether BPXBATCH runs a shell scrip (PARM='SH') or directly executes an executable file (PARM='PGM').

  • The settings of Environment variables _BPX_BATCH_SPAWN and _BPX_SHAREAS.

We recommend BPXBATCH be invoked directly as processor step.

Table-1 shows combinations of these parameters and settings with the resulting security context of the processor step executing BPXBATCH:

BPXBATCH parameter_BPX_BATCH_SPAWN_BPX_SHAREASSecurity context
SHAnyAnyAlternate ID
PGMNOn/aAlternate ID
PGMYESNOAlternate ID
PGMYESYESUser ID

Table-1

Calling BPXBATCH in an IKJEFT01 processor step

Note: We do not recommend the use of BPXBATCH in an IKJEFT01 step, because the results can be unpredictable.

Whether BPXBATCH invoked by a CLIST or REXX in a processor step executing IKJEFT01 executes under the context of the alternate ID depends on the following two additional factors:

  • Whether or not a LGNT$$$I swap was performed prior to the invocation of BPXBATCH.

  • Whether or not a prior USS service call was made in the job step prior to the BPXPBATCH call. For example, the prior USS service call could occur when a USS Base or Source Output Library was used during the CA Endevor SCM job step, or when a shell script was executed in this or any prior CA Endevor SCM action.

Table-2 shows the Security context results from these two additional factors when calling BPXBATCH from a processor step that executes IKJEFT01:

LGNT$$$I swap performedPrior USS Service call madeSecurity context
YesNoAlternate ID
YesYesfailure
NoNoUser ID
NoYesUser ID

Table-2

Use of BPXBATSL, BPXBATA2 and BPXBATA8

These three programs always run under the context of the user ID, because they process requests in the same manner as the last row in table-1 (_BPX_BATCH_SPAWN=YES, _BPX_SHAREAS=YES).