Hi all
I'd like to try to clarify the relationship between endevor alternate ID and program pathing.
The security identity of an MVS address space (Job, started task, TSO session ...) is represented by an ACEE control block (Accessor Control Execution Environment) pointed to by ASXBSENV field in the ASXB block (Address Space eXtension Block) that represents the address space.
A subtask that runs within an address space may inherit the identity of the address space or have its own identity represented by an ACEE pointed to by field TCBSENV in the TCB (Task Control Block) that represents the subtask.
The endevor alternate ID mechanism works by temporarily swapping the original ACEE associated with the subtask or the address space to an ACEE that represents the endevor alternate ID. If this is done, for example, before letting MVS process an OPEN request, it results in all effects in the OPEN being performed under the security scope of the alternate ID while in fact endevor is being executed under the security scope of the user.
During processing of the OPEN, MVS asks the security product whether the OPEN has to be allowed. Obviously, the security product decision is based on the identity associated with the task, but it MAY also consider other factors, like for example, any program pathing rules in effect for the combination of the dataset, program and user (in this case, the endevor alternate ID).
In a few words, the alternate ID is totally under control of endevor, who decides when to swap the security scope to that of the alternate ID. However, the use of program pathing rules is totally up to the security product and is not requested by endevor by any means.
Regards - Eduard
Original Message:
Sent: Jun 14, 2022 07:15 AM
From: Philip Gineo
Subject: Conversion from progam-pathing to ALTID
Hi Leanne,
In the isolated test LPAR, I recommend you get another TSO ID with access levels like a traditional developer. When testing the conversion to ALTID or other changes, you should use that TSO ID as appropriate.
Regards,
Phil
------------------------------
Phil Gineo
Manager, Systems Engineering
Aetna / CVS Health
Hartford Connecticut USA
๐
Original Message:
Sent: Jun 13, 2022 08:32 PM
From: Leanne Hayes
Subject: Conversion from progam-pathing to ALTID
Thanks John and Phil for the feedback.
That first point about ALTID overriding any and all program pathing would seem to be the most important thing to know from the get go so I'm surprised that this wasn't mentioned in the support case I raised about this. It sounds like this will make it easier to convert which is encouraging.
Was is maybe temp datasets that might have used the user's personal access instead of AltID? If I have to investigate all processors beforehand (there are bazillions here, mostly duplicates of each other - grrrrrr) that will be huge. Was there some sort of pattern to the datasets that didn't use AltID that might help me identify them up front?
You lost me on the 4th point. is that just relevant to Top Secret? We're ACF2 here. If I ask the ACF2 person creating the AltID to "explicitly declare in its definition to initiate STC as one of its TSS functions" would that make more sense to them?
Phil, the suggestion to test the change in a different LPAR got me wondering about whether we should go down that track. Generally, any testing done in a "test Endevor" location (eg for a new release) would be done by an Endevor admin who has different security access to most users so it might all seem fine but when put into the real Endevor world get a different result anyway. How did you approach this, John? Did you try it elsewhere or just switch it on, sit back and see who screams?
Original Message:
Sent: Jun 13, 2022 08:22 AM
From: Philip Gineo
Subject: Conversion from progam-pathing to ALTID
Hi John,
We've always used ALTID.
I'm sure you're doing this - a change this big should be tested in an isolated LPAR, where there would be no internal customer impact, if things didn't work out as planned.
Regards,
Phil
------------------------------
Phil Gineo
Manager, Systems Engineering
Aetna / CVS Health
Hartford Connecticut USA
๐
Original Message:
Sent: Dec 15, 2020 09:57 AM
From: John Dueckman
Subject: Conversion from progam-pathing to ALTID
Hi all!
I was wondering if anyone would be willing to share their experiences and "gotchas" during a conversion of their Endevor security from program-pathing ALTID.
All comments/testimonials welcome! :)
------------------------------
Consultant
John D Consulting Inc.
------------------------------