Appendix H. Security
REXX/CICS can be viewed as a more sophisticated version of the CICS-supplied Command Level
Interpreter Transaction (CECI). The REXX transaction (used to issue REXX execs), much like the CECI
transaction, can be controlled using CICS transaction security. The REXX transaction might be made
widely available, or might be limited to a few individuals, depending upon the nature of the CICS region it
is running in.
Note: The REXX transaction is not required to execute existing REXX execs, but is required if users or
programmers want the ability to create or modify REXX execs, and then test them.

REXX/CICS Supports Multiple Transaction Identifiers

REXX/CICS supports the ability to associate transaction identifiers (TRANIDs), other than REXX, with the
REXX/CICS support program. In this case, the name of the REXX exec that is issued is determined by a
previous DEFTRNID command. This gives you the ability to still use transaction security with REXX on an
exec by exec basis.

REXX/CICS File Security

Access at the RFS directory level is controlled with the RFS AUTH command and the RFS replaceable
security exit.

ESA/VSE Command Level Security

In some situations, current software practices limit the effectiveness of relying on CICS resource security
alone. For additional security control, REXX/CICS was designed with the concept of command level
security. Because most facilities under REXX/CICS are accessed as commands, command level security
can be used to control access to CICS (and other product or system) facilities. For example, VSAM file
access is accomplished through the READ, WRITE, and REWRITE commands.
REXX/command level security is controlled by the DEFSCMD and DEFCMD AUTH parameter and by the
provision of authorized REXX/CICS library support.
Command execution security controls the use of certain REXX/CICS commands, or command keywords.
In general, this is accomplished by the designation of certain commands (or command options) as
authorized. Such command designation is accomplished by the DEFCMD and DEFSCMD commands. For
authorized commands to execute properly, they must either be:
1. Executed from an exec loaded from a VSE Librarian sublibrary specified on a SETSYS AUTHCLIB or
SETSYS AUTHELIB command.
2. Executed by an authorized user. A user can be authorized by the AUTHUSER command.

REXX/CICS Authorized Command Support

Any REXX/CICS command can be identified as authorized by a REXX/CICS Systems Administrator.
Authorized commands can only be successfully executed in an exec that is issued by an authorized
REXX/CICS user or that was loaded from an authorized REXX/CICS sublibrary. Only authorized
REXX/CICS users have access to the commands and execs in the “authorized command” sublibraries
specified on the SETSYS AUTHCLIB command. All users have the ability to run execs in the “authorized
exec” sublibraries specified on the SETSYS AUTHELIB command. All users can run execs in sublibraries
specified in the LIBDEF PROC search chain for the CICS partition. Authorized users can be defined by
any existing authorized user or in an authorized exec. The REXX/CICS CICSTART exec that is called at
REXX/CICS initialization (at the first REXX/CICS transaction after a CICS restart) is automatically
© Copyright IBM Corp. 1992, 2009 421