IBM SC34-5764-01 Server User Manual


 
authorized. This is the logical place to define authorized users and libraries. The sublibrary containing the
CICSTART exec is treated as the initial “authorized command” and “authorized exec” sublibrary.
Because access to REXX/CICS libraries can easily be controlled, this is the logical counterpart to
controlling access to CICS production program libraries. Any commands that a site feels are sensitive
(such as READ, WRITE, and DELETE) could be defined as authorized in the production region. This
would mean that only authorized users could create execs that issue authorized commands and decide
whether all users could invoke these execs that contain authorized commands or only other authorized
users.
Note: You can control the ability of REXX/CICS execs to access external APIs by redefining the CICS
START, LINK, and XCTL commands as REXX/CICS authorized commands.
Security Definitions
This section discusses the security definitions for REXX/CICS such as: general users, authorized users,
authorized commands, authorized exec, and system libraries.
REXX/CICS General Users
REXX/CICS users that are not defined as authorized by the AUTHUSER command cannot use
REXX/CICS authorized commands. However, these users can define, write, alter, and use user commands
(defined using the DEFCMD command) and execs. Users can also use (but not define, create, or alter)
REXX/CICS authorized execs that reside in the CICEXEC library.
REXX/CICS Authorized Users
Authorized users are defined by the AUTHUSER command, that are allowed to use authorized
REXX/CICS commands (commands defined using the DEFCMD or DEFSCMD command with the AUTH
option specified).
REXX/CICS Authorized Commands
Authorized commands are REXX/CICS commands that can only be used by authorized users or from
authorized execs. Authorized commands are defined using the DEFCMD or DEFSCMD command with the
AUTH option specified.
REXX/CICS Authorized Execs
Authorized execs are programs (execs) that were loaded from sublibraries that were specified on the
SETSYS AUTHCLIB or SETSYS AUTHELIB commands and are considered authorized. That is, these
programs are allowed to use authorized REXX/CICS commands. All REXX/CICS users have access to
execs loaded from the sublibraries specified on the SETSYS AUTHELIB command, but only authorized
users have access to commands and execs loaded from the sublibraries specified on the SETSYS
AUTHCLIB command.
REXX/CICS System Sublibraries
All authorized commands written in the REXX language must be loaded from a VSE Librarian sublibrary
specified on the SETSYS AUTHCLIB command. These may be both IBM and customer (or vendor)
supplied.
All authorized execs must be loaded from a VSE Librarian sublibrary specified on either the SETSYS
AUTHCLIB or SETSYS AUTHELIB commands. These may be both IBM and customer (or vendor)
supplied.
User execs that are not authorized but are being shared by all REXX/CICS users can be placed in a VSE
Librarian sublibrary specified in the LIBDEF PROC search chain for the CICS partition.
Security
422
CICS TS for VSE/ESA: REXX Guide