REXX/CICS Authorized Command Support

Any REXX/CICS command can be identified as authorized by a REXX/CICS Systems Administrator. Authorized commands can only be successfully executed in an exec that is issued by an authorized REXX/CICS user or that was loaded from an authorized REXX/CICS sublibrary. Only authorized REXX/CICS users have access to the commands and execs in the "authorized command" sublibraries specified on the SETSYS AUTHCLIB command. All users have the ability to run execs in the "authorized exec" sublibraries specified on the SETSYS AUTHELIB command. All users can run execs in sublibraries specified in the LIBDEF PROC search chain for the CICS partition. Authorized users can be defined by any existing authorized user or in an authorized exec. The REXX/CICS CICSTART exec that is called at REXX/CICS initialization (at the first REXX/CICS transaction after a CICS restart) is automatically authorized. This is the logical place to define authorized users and libraries. The sublibrary containing the CICSTART exec is treated as the initial "authorized command" and "authorized exec" sublibrary.

Because access to REXX/CICS libraries can easily be controlled, this is the logical counterpart to controlling access to CICS production program libraries. Any commands that a site feels are sensitive (such as READ, WRITE, and DELETE) could be defined as authorized in the production region. This would mean that only authorized users could create execs that issue authorized commands and decide whether all users could invoke these execs that contain authorized commands or only other authorized users.

Note:
You can control the ability of REXX/CICS execs to access external APIs by redefining the CICS START, LINK, and XCTL commands as REXX/CICS authorized commands.