The SECURITY and UTOKEN parameters on the AXREXX macro determine
the security environment that the exec runs in. If omitted, the exec
will run under the same security environment as its invoker.
The
security environment determines the data sets that may be accessed
and the commands and programs that may be invoked. - When SECURITY=BYUTOKEN is specified, the invoker can provide a
UTOKEN to define the specific security environment under which the
exec should run (see z/OS Security Server RACROUTE Macro Reference).
By default the AXREXX macro invocation uses SECURITY=BYUTOKEN. In
this situation a security token always accompanies the request. It
is used to establish the security environment of the invoker under
which the exec will run and is limited to the permissions that are
applicable to the invoker. Additionally, if the REXX exec uses the AXRCMD function
to issue a system command, the security token will be passed to MGCRE
ensuring the identical security information is used. The security
token value can be explicitly provided using the optional parameter
UTOKEN, on the AXREXX macro. If the value is omitted, it will be implicitly
set to that of the invoker's security environment.
- When SECURITY=BYAXRUSER is specified, the exec will run under
the security environment associated with the value (siteuserid)
of the AXRUSER parameter specified in the AXR00 parmlib member. This
could be useful if the installation wants to invoke AXREXX in an address
space that does not have a security environment such as the MASTER
address space.
The exec should not invoke any services that alter the security
environment of the task running the exec.
If an exec is invoked from a console that is not
logged on, or via the AXREXX macro from an address space that does
not have a valid security environment (using SECURITY=BYUTOKEN without
specifying a UTOKEN), certain facilities such as SYSCALL host commands
will not function properly.