When defining your environment, you can optionally specify a RACF ID, known as the CA Endevor SCM Alternate ID, in your C1DELFTS to be used when accessing CA Endevor SCM controlled resources such as the MCF, package data sets, processor data sets, or the element catalog. If an Alternate ID has been specified it will be used instead of the user ID when accessing these resources.
If the OPEN SVC screen detects that the OPEN was issued from CA Endevor SCM I/O modules, and the target file appears to be an CA Endevor SCM file, then the TCBSENV field is swapped to the Alternate ID, causing the task to run under the security context of the Alternate ID. When the OPEN completes, the field is swapped back to its earlier value. This logic is bypassed if ALTID=N is coded.
Note: The External Security Interface (ESI) never switches to the CA Endevor SCM Alternate ID. ESI is used to determine whether a user has the right to perform certain CA Endevor SCM actions. It performs this check by issuing an RACROUTE REQUEST=AUTH call to validate a user's access.
When activated, the alternate user ID is used when any of the following data set categories are accessed. An access level of UPDATE is required for these data sets. However, for the Master Control File, Element Catalog File, Element Index File, Package Control File, and ELIB VSAM data sets, an access level of CONTROL is required.
*If these are USS files, alternate ID support is not available for delta libraries, and support is limited for USS files accessed in processors and user exits. For more information, see Alternate ID Support for UNIX Files.
Several categories of data sets can only be accessed by the user's originating TSO user ID. These data sets include:
Note: The alternate ID is not swapped on the creation or deletion of a data set or PDS in a processor. The user's TSO user ID must have authority to create or delete the data set or PDS.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|