Program Authorization and Isolation

Commands, programs, CLISTs, or REXX execs can either be authorized or unauthorized functions to an application program. Application programs are most often unauthorized functions to the system they are running on, rarely authorized functions. For system security reasons, an authorized function can normally invoke only authorized functions.

IKJEFTSR specifically allows you to invoke authorized functions from an unauthorized application program. It maintains system security by running an invoked authorized function in its own isolated environment.

However, to maintain system security, an authorized application program can use the TSO/E Service Facility to invoke only authorized programs or commands, or CLISTs consisting of only authorized programs and commands.

Figure 1. Invoking Authorized Functions with the TSO/E Service Facility

While the invocation of authorized functions automatically makes the TSO/E Service Facility to run the function in an isolated environment, you can specify the type of environment for the invocation of unauthorized functions (parameter 1 in IKJEFTSR Parameter List).

If you want the TSO/E Service Facility to run the unauthorized function in an unisolated environment, the unauthorized function itself can invoke other (authorized or unauthorized) functions through IKJEFTSR. This also provides for access to ISPF services and TSO/E REXX programming services. However, after an authorized function is invoked, it is run in its own isolated environment (see below).
If you want the TSO/E Service Facility to run the unauthorized function in an isolated environment, the invoked function itself can only invoke authorized functions. This makes the TSO/E Service Facility to run the requested function as an isolated subtask of the TSO terminal monitor program. The existing environment is suspended until the requested function completes. It is the existing environment's responsibility to release any resources that may have been required by the requested function (such as serialization resources).

TSO/E determines the authorization of commands and programs and the execution environment they are running in by analyzing the following statements in member IKJTSOxx of SYS1.PARMLIB:

AUTHCMD: identifies authorized commands to TSO/E
AUTHPGM: identifies programs that are authorized when invoked via the CALL command
AUTHTSF: identifies programs that are authorized when invoked through the TSO/E Service Facility. In most cases these programs are not in AUTHPGM. They are primarily those that expect more complex parameter lists than that of the CALL command and use parameter 7 of the IKJEFTSR parmlist to supply parameters to the invoked program. As a general rule programs in this list, it should not accept parameters that are pointers to code that will be executed (such as exit routines) because this might introduce an integrity exposure.
Note: Do not place programs from any IBM® products in this table unless the documentation of that product requires. For example, do not put IDCAMS in AUTHTSF.
PLATCMD: identifies authorized and unauthorized commands that can run on a command/program invocation platform.
PLATPGM: identifies authorized and unauthorized programs that can run on a command/program invocation platform.

Further details about the statements in SYS1.PARMLIB member IKJTSOxx can be found in z/OS TSO/E Customization.

You may want to use the table look-up service, described in Using the table look-up service IKJTBLS, in your application programs to determine if a program or command name is identified by one or more of these statements.