Endevor is a source code management and release management tool for mainframe computers running z/OS .[1] It is part of a family of administration tools by CA Technologies (formerly Computer Associates, and now part of Broadcom), which is used to maintain software applications and track their versions as well as automate lifecycle activities like builds and deployments.[2]
The word ENDEVOR is an acronym which originally stood for Environment for Developers and Operations but is now the formal product name for CA's flagship mainframe Application Lifecycle Management source control product. It also competes against another CA source code management tool, Panvalet.
Endevor provides control of source and related code objects as individual elements. The reference "element" is used to define the smallest object for which Endevor controls. Standard source control functions are supported for element control including ADD, UPDATE, DELETE, MOVE, GENERATE, TRANSFER, SIGNIN and SIGNOUT.
Elements are edited under an associated lifecycle of Environments and Stages with changes typically being made from a development entry stage down the map from other environments like QA or PROD. Changes can also be introduced up the map in higher environments to facilitate things like emergency fixes. The lifecycle is also used to enable parallel development, either by creating multiple static paths to production with a merge point at some point in the map. Dynamically added “branches” can also be created using Sandboxes and in an upcoming feature, using dynamic environments.
Endevor functions can be accessed interactively using 3270 ISPF panels or in batch mode using JCL and the Endevor API. Many functions executed in interactive mode are completed in batch mode. Newer interfaces exist now as well, including a Zowe conformant REST API and CLI plugin, an Eclipse Interface, a VS Code interface and an interface for Git. All Endevor element functions are described using a proprietary Software Control Language.
The ADD instruction can be used to define a new element to an Endevor stage or add a previously registered element to the first stage in a define lifecycle. The ADD function invokes a generate processor which then executes all actions required to register or update the element metadata and process outputs. Generally, the result of issuing an ADD function is that the element will be registered to the target Endevor stage, or the element registration will be updated in the target stage and the appropriate generate processor will be invoked.
Generally, result of invoking a generate processor is that the source code is copied to the appropriate source library and, in the case of programs, the source is compiled and linked and the load modules are copied to the target stage load libraries.
The move function moves an element registration from the target to the source stage and also, by invoking a move processor, moves the element output objects from the target to source libraries.
An element can only moved along a pre-defined lifecycle.
Deletes the target element registration and deletes the associated element source and load modules.
Moves an element from any source stage to any target stage. The TRANSFER function is used to bypass pre-defined lifecycles.
Generate outputs. In the case of programs this includes the program LOAD module/s, DBRM and source. A GENERATE is generally executed immediately following an ADD or UPDATE.
Endevor separates the control of source from the objects used as input and the objects created as output when an action is performed. In most cases, an element is stored internally by Endevor as the code base with subsequent changes stored as deltas. As such, control of source happens internally to Endevor and source control actions are separate from changes to objects in the output libraries which includes load modules and copies of processed code.
Endevor controlled libraries are secured with a mainframe security product such as RACF or ACF. The Endevor application executes system actions using two dedicated system accounts for which have the access to write to Endevor controlled libraries. As a general rule general mainframe users are prohibited from modifying Endevor controlled libraries. This ensures that the only way to generate and promote code is via Endevor and provides an audit trail of all changes.
Output libraries controlled by Endevor are used to store the following types of objects:
This allows for the users of Endevor, such as developers, to be separated from the control of the objects which they modify using Endevor functions. As Endevor provides an interface for creating, modifying, moving, deleting and transferring elements via pre-defined lifecycles there is no need for any end user to have alter or update access to libraries controlled by Endevor. This ensures that an audit trail is maintained for all actions and that the resulting objects controlled by Endevor can be trusted.
Endevor supports release management, as defined by ITIL in the form of package control. Two options are available for package security - native Endevor security or Endevor External Security Interface (ESI).
Endevor supports release management in the form of package control. A package is a container for Endevor SCL and associated control information for code release. At a minimum a package has a name, an execution window defined the time range for when the package can be executed, notes about the package, various flags and at least one value SCL statement.
A key attribute of package control is that security approver groups can be linked to each package. Each security group specifies a list of users authorised to act for that group with a set quorum per group.
Any Endevor stage which is flagged as being packaged controlled requires all actions to be executed using a package. This allows for defined systems development lifecycle stages to have set approvers and controlled releases.
As the Endevor product does not have a scheduling component a third party tool such as IBM Tivoli Workload Scheduler or CA7 must be used to execute Endevor packages according to release schedule.
Endevor native security is a built in security option which allows Endevor Administrators to define approver groups per Endevor Environment, approver group relationships per Endevor Environment and security tables per Endevor Environment and for specific Endevor functions.
Each approver group can have up to 16 userids. The first userid in an approver group is generally always set to be the Endevor internal system userid "NDVR" which grants the Endevor (batch) system the authority to execute package actions. This is due to the security model within Endevor for which requires explicit security access. This means that if the internal Endevor system userid is not linked into one of the approver groups when a package is cast then the Endevor (batch) system can not execute commands against that package.
Each approver in an approver group can be defined as being a mandatory or optional approver by specifying a flag in the approver group definition. The default configuration for Endevor approver groups is that no one specific approver in an approver group is mandatory.
Each approver group has a set quorum for which can be set to 0 to 16. Generally, an approver group will have a quorum of 1, meaning that at least one of the users listed in the approver group needs to approve the package in order for the package to progress to the APPROVED status. An approver group quorum of zero is used for approver groups where the users either need to be informed of package actions or users require the ability to DENY a package but are not explicitly required to approve. Where an approver group with a quorum of zero is attached to a package the approval state is automatically set to APPROVED for that group.
The quorum of zero is normally used for a scenario where a specific approver group requires the ability to deny a package in a situation where approval is automatic.
There is no limit to how many approver groups can be linked to a single package. Which approver groups are linked to a package is based on the approver group rules. As a general rule, when package control is used for an Endevor stage then every Endevor system will have at least one approver group for that stage and the approver group would have a quorum of zero. This means for every system referenced in the package there will be at least one approval required.
Approver groups can be dynamically altered by Endevor exits at cast time, for example, to change the quorum, link an additional approver group, or to add or remove users from an approver group. These changes are only applicable to the package being cast and are not permanent changes to approver group configuration.
Endevor also has a function to allow approvers to be interactively dynamically added to an approver group after a package is successfully cast.
Security tables are standard mainframe compiled assembler reference binary lookup tables. The table source is standard declared name pair mainframe table compiled (ASMA90) and linked (IEWL) assembler lookup (CONSDEF, TYPE=, TABLE=, GROUP=, USERID=) which is stored in a load library and referenced as a binary object by the Endevor security system as defined via the C1DEFLTS configuration module. Generally, there is one security table per Endevor environment, however a single security table can be referenced by multiple environments. These tables are where the access for Endevor functions is defined when using native security.
Access to Endevor Environments is defined by a single security table per Endevor environment. This security table defines the access control lists defined by groups for which users are assigned to and lists the stages for which users can interact with. Access can then be granted to one or more users based on the user's mainframe userid as a static value or using $ as a wildcard for 'any character'.
A user can be defined to multiple groups with least restrict access rules being applied.
Each Endevor environment has a granular breakdown of functions specific to that environment. This controls the ability for users to execute specific SCM functions such as ADD, UPDATE, DELETE, MOVE.
Endevor security tables are compiled and linked on the mainframe using the standard assembler compiler ASMA90 and linked using IEWL. A security table can be defined per Endevor environment to provide granular control for element actions down to per user if required.
Endevor administrators can modify Endevor functions and capture information using exits. There are several exit types, each attached to a specific Endevor function. Exits are generally written as COBOL or Assembler programs but theoretically can be any language that can be compiled and linked on z/OS. An exit will specify where in the exit tree that the code will be executed and what will be affected.
As an example, an exit could be written to trigger "before package cast" to link an additional approver group to the package being cast. As an example, an exit could fail the generate action where the CCID is invalid (a CCID is used to associate a change number or other ID with a related element action).
An Endevor exit program has access to most of the information relevant to the action being performed, for example name of the package, package action, package contents, etc.
Exits are generally used to enforce system policy and enhance Endevor functionality. In particular, exits are used to deny end users from executing actions which would subvert the integrity of the system development life cycle process.
An exit is generally used to determine when and to whom to send emails to, for example to notify Endevor approvers that a package is waiting to be reviewed or that a package has been reset.
Primary Endevor element functions, including GENERATE DELETE and MOVE, execute programs written in an Endevor specific language similar to JCL to perform SCL functions such as moving source code and load modules.
Every generate, move and delete action is executed by calling a processor. Every type has at least one processor defined for which lists the name of the processor that performs the action required. The default system processor executes a standard copy, move or delete action.
Processor code looks like and executes similar to JCL. Processors can use both Endevor symbols and Endevor variables. Endevor systems are defined by a specific symbol table which is essentially a list of name pair values.
Where a processor is not defined to a type / processor group / function, being generate delete or move, the default processor is invoked. The default process moves the element BASE, DELTA and SOURCE OUTPUT LIBRARY objects from the source libraries to the target libraries as defined by the element TYPE.
Endevor maintains configuration control for each element registered in the system. Every element is distinguished by the element name, system, subsystem and type. The type definition determines how the element is stored and how subsequent changes, known as deltas, are handled.
Example of an Endevor TYPE definition for COBOL objects. In this example the type is COBOL in the TEST environment.
DISPLAY ---------------------- TYPE DEFINITION ------------------------------ COMMAND ===>
CURRENT ENV: TEST STAGE ID: T SYSTEM: FINANCE TYPE: COBOL NEXT ENV: PROD STAGE ID: P SYSTEM: FINANCE TYPE: COBOL
DESCRIPTION: COBOL II UPDATED: 02JAN03 08:42 BY NDVADM ----------------- ELEMENT OPTIONS ------------------- FWD/REV/IMG DELTA: F (F/R/I) COMPRESS BASE/ENCRYPT NAME: Y (Y/N) DFLT PROC GRP: COBOL REGRESSION PCT: 75 REGR SEV: C (I/W/C/E) SOURCE LENGTH: 80 COMPARE FROM: 1 COMPARE TO: 72 AUTO CONSOL: Y (Y/N) LANGUAGE: COBOL PV/LB LANG: COB CONSOL AT LVL: 95 HFS RECFM: NL (COMP/CR/CRLF/CRNL/F/LF/NL/V) LVLS TO CONSOL: 40 DATA FORMAT: T FILE EXT: ------------- COMPONENT LIST OPTIONS ---------------- FWD/REV DELTA: F (F/R) AUTO CONSOL: Y (Y/N) CONSOL AT LVL: 96 LVLS TO CONSOL: 50 -------------------- LIBRARIES --------------------- BASE/IMAGE LIBRARY: NDVR.&C1ST..BASE.SORCLIB DELTA LIBRARY: NDVr.&C1ST..DELTA.COBOL INCLUDE LIBRARY: SOURCE O/P LIBRARY: NDVR.&C1ST..SORCLIB EXPAND INCLUDES: N (Y/N)
In the example shown the code related objects in the BASE library, DELTA library and SOURCE Output library are handled by the Endevor system not by the processor. The system uses these values to determine the source and target locations.
Types controlled by Endevor generally include COBOL, Assembler, JCL, REXX, ISPF Panels, ISPF Skeletons and parms. In this manner Endevor can be configured to handle most mainframe files.
Endevor has several programs for which extend the primary Endevor functions.
Program | Purpose |
---|---|
Quick-Edit | Standalone program to shortcut the process of element checkout, retrieve and checkin |
Parallel Development Manager | A tool allowing developers to integrate parallel changes from other developers into their own changes |
ACM | Automated configuration control which automatically tracks Endevor element component information and dependencies |
Footprint Synchronization | Allows binaries to be traced back to the source code that created them by embedding footprint data in the binary for enhanced auditability and governance. |
Integrations for Enterprise DevOps | Provides purpose built integrations between CA Endevor and popular DevOps tools, including the leading Enterprise Git repositories, allowing next generation developers to collaborate with traditional developers by synchronizing Git repos with CA Endevor inventory locations. |
Eclipse Plugin | Allows direct connection to Endevor from an Eclipse-based IDE to work with elements and packages |
VS Code Extension | Allows direct connection to Endevor from a VS Code-based IDE to work with elements. |
Zowe CLI Plugin | Allows direct connection to Endevor using the Zowe CLI framework, facilitating command line interaction with Endevor from any platform and integration via shell scripting in DevOps tools. |
Endevor provides multiple methods for installing and accessing distinct separate instances of Endevor for which are installed on the same LPAR. As a general rule, one version of Endevor is installed and used per LPAR.
The same functionality for source control and release management functions are provided by several other products.
Endevor integrates with IDz (IBM Developer for zOS) and other Eclipse based IDEs. Developers can code in the IDz IDE and seamlessly interface with Endevor to manage their changes. A basic VS Code extension for Endevor called Explorer for Endevor is also available. The Zowe CLI plugin is also designed to allow integration to common DevOps tools by allowing Endevor operations to be scripted.