How can it be that the Web Services started task(s) raise security violation for resources in the JESSPOOL resource class?

Document ID:  TEC1889319
Last Modified Date:  07/03/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Endevor Software Change Manager

Releases

  • CA Endevor Software Change Manager:Release:17.0
  • CA Endevor Software Change Manager:Release:18.0

Components

  • CA Endevor Software Change Manager:ENDBAS
Question:

How can it be that the Web Services started task(s) raise security violation for resources in the JESSPOOL resource class?

Answer:

This may happen the system protects JES2 resources by having resource class JESSPOOL active in RACF and also the JCL for the Web Services started task has any DD statement defined as SYSOUT. For example, //BSTERR DD SYSOUT=*

The reason is that the spool datasets defined in the STC JCL are owned by the userid assigned to the started task (because they are allocated by MVS during the initialization of the STC). Later on, during processing of the Web Services requests, the userid is swapped to that of the client (for example, the MVS userid specified in the Eclipse Plugin).

If endevor or any user program (processor step program or user exit) try to write to any of these ddnames, it means that aone user (the client's ID) is trying to update spool dataset(s) owned by another user (the started task user). If the client is not authorized to do that, this will result in a security violation similar to the following:

ICH408I USER(USER01 ) GROUP(GROUP01) NAME(DOE, JOHN) 150
MVS01.WSEWSSTC.WSEWSSTC.STC82932.D0000105.? CL(JESSPOOL)
INSUFFICIENT ACCESS AUTHORITY
FROM MVS01.** (G)
ACCESS INTENT(UPDATE ) ACCESS ALLOWED(READ )
$HASP708 WSEWSSTC EN$DPMSG OPEN FAILED 151
RC=11 AUTHORIZATION FAILURE
DSNAME=WSEWSSTC.WSEWSSTC.STC82932.D0000105.?
IEC150I 913-74,IGG0199G,WSEWSSTC,WSEWSSTC,EN$DPMSG 152

The violations can be cleared by giving the client userids authority to update spool datasets owned by the STC userid as described in RACF Security Administration Guide.

For reference, the resource names in the JESSPOOL resource class are built as follows:

  • JES2 node ID
  • Owner ID (the userid associated with the Web Services STC)
  • Jobname (name of the Web Services STC)
  • Jobid (specific to each particular run of the STC)
  • Spool dataset ID (specific to each ddname within the JCL)
  • (optional) Value specified in DSN= parameter in the DD statement. If none, contains a question mark.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing