MODHLI High-Level Qualifier and Security

Enhancements and New Features › Web Services STC Pool Enhancements › How to Enable STC Pooling › MODHLI High-Level Qualifier and Security

MODHLI High-Level Qualifier and Security

The C1DEFLTS table MODHLI parameter affects security for client programs that access the API through Web Services, such as the Eclipse-Based UI, CA CMEW, or user-written client programs. This parameter has the following implications for Web Service clients:

If a MODLHI value is coded, your Security administrator must grant all user IDs access to all data sets with the MODHLI high-level qualifier (HLQ). This requirement applies to access under all security products including RACF, CA Top Secret, or CA ACF2.
The reason for this requirement is as follows. For a client program to access the API, the user ID sent to CAICCI to spawn the pool of STCs and the user IDs that issue requests to Web Services must have read/write access to these data sets. To enable this, the MODHLI parameter causes the data set names to be built with this format:
```
modhli.Dyyddd.Thhmmss.STCnnnnn.ddname
```
modhli

The value coded on the MODHLI parameter in the C1DEFLTS table.

Dyyddd

Julian date.

Note: If your site security package requires temporary data sets to follow IBM naming standards, then SYS is used instead of D, so that the node name is: SYSyyddd

Thhmmss

Time in hours, minutes, and seconds.

STCnnnnn

The job ID prefixed by STC.

ddname

The unique qualifier for one of the nine API related files (APIMSGS, C1MSGS1, and so on).
If a MODLHI value is not coded, then security is not affected, because the temporary data sets names are built by the operating system with the standard temporary data set HLQ in the following format: SYSyyddd.Thhmmss.RA000.jobname.nnnnnn
If your site uses RACF with the RACF PROTECTALL enabled, you must specify a value for MODHLI. When using the Eclipse-Based UI, CA CMEW, or any other client program under RACF with the RACF PROTECTALL option activated, security violations are issued, unless MODHLI is defined. This occurs because the ID used to allocate the temporary files required by Web Services is different than the ID used to open the files. Specifically, the data sets are allocated under the context of the user ID provided on the CA Common Services Common Communications Interface (CAICCI) request to spawn the pool of STCs. The open and write requests are issued under the context of the user ID signed on to the client program that is issuing requests through Web Services.