Security

The SECURITY and UTOKEN parameters on the AXREXX macro determine the security environment that the exec runs in. If omitted, the exec will run under the same security environment as its invoker. The security environment determines the data sets that may be accessed and the commands and programs that may be invoked.

• When SECURITY=BYUTOKEN is specified, the invoker can provide a UTOKEN to define the specific security environment under which the exec should run (see z/OS Security Server RACROUTE Macro Reference). By default the AXREXX macro invocation uses SECURITY=BYUTOKEN. In this situation a security token always accompanies the request. It is used to establish the security environment of the invoker under which the exec will run and is limited to the permissions that are applicable to the invoker. Additionally, if the REXX exec uses the AXRCMD function to issue a system command, the security token will be passed to MGCRE ensuring the identical security information is used. The security token value can be explicitly provided using the optional parameter UTOKEN, on the AXREXX macro. If the value is omitted, it will be implicitly set to that of the invoker's security environment.
• When SECURITY=BYAXRUSER is specified, the exec will run under the security environment associated with the value (siteuserid) of the AXRUSER parameter specified in the AXR00 parmlib member. This could be useful if the installation wants to invoke AXREXX in an address space that does not have a security environment such as the MASTER address space.

The exec should not invoke any services that alter the security environment of the task running the exec.