Specifying authorized commands/programs, and commands not supported in the background

At your installation, you must maintain lists of authorized commands and programs, and commands not supported in the background. The lists allow users to execute authorized commands and programs, and restrict users from executing certain commands in background jobs. IBM® provides copies of the lists, including all required entries. Table 1 shows which entries are required in each list.

Table 1. Required entries in the lists of commands and programs
Maintain in the list of:	These names:
Authorized commands	RECEIVE TRANSMIT XMIT SEND SE CONSPROF LISTBC LISTB RACONVRT SYNC TESTAUTH PARMLIB
Programs to be authorized when called through the TSO/E service facility	IKJEFF76
Commands not supported in the background	OPERATOR OPER TERMINAL TERM

You might want to add commands and programs to the lists. You can add authorized commands and programs, such as VLFNOTE, LISTDS, IEHMOVE, and user-written ones, to make them available to users at your installation. You can also add commands that you do not want used in the background, such as:

User-written commands that do not work properly in the background (for example, command processors that issue TPUTs and TGETs)
Commands whose use you plan to restrict in the foreground. The ACCOUNT command is one example of such a command. You might want to restrict its use as described in Limiting the use of the ACCOUNT, OPERATOR, RACONVRT, and SYNC commands.

For ISPF, you must ensure that the authorized commands receive control in an authorized state under ISPF. For more information, see .

You can maintain the lists of authorized commands and programs, and commands not supported in the background, in one of the following:

SYS1.PARMLIB member IKJTSOxx
CSECTs IKJEFTE2, IKJEFTE8, IKJEFTAP, and IKJEFTNS.

Using SYS1.PARMLIB member IKJTSOxx has certain advantages:

It makes it easy to maintain the lists of commands and programs. You avoid having to update, assemble, and link-edit the CSECTs IKJEFTE2, IKJEFTE8, IKJEFTAP, and IKJEFTNS.
You can use the PARMLIB command if you want to use a different list of authorized commands/programs, and commands not supported in the background, without re-IPL of the system.
The PARMLIB command dynamically activates a SYS1.PARMLIB member IKJTSOxx of your choice. Its specifications are replaced by those in member IKJTSOxx of your choice. The chosen SYS1.PARMLIB member IKJTSOxx must at least contain the required entries shown in Table 1.

Use the PARMLIB command also to check the syntax of any IKJTSOxx member of SYS1.PARMLIB before you are going to use it, and to view the specifications in an active IKJTSOxx member. For more information about the PARMLIB command, see .

Using CSECTS IKJEFTE2, IKJEFTE8, IKJEFTAP, and IKJEFTNS does not allow for dynamic changes.

When you IPL the system, the commands and programs listed in either SYS1.PARMLIB member IKJTSOxx or in the individual CSECTs become available or restricted as specified.

If you maintain the lists of authorized commands and programs, and commands not supported in the background, in both the SYS1.PARMLIB member IKJTSOxx and the CSECTS the following applies:

If IKJEFTE2, IKJEFTE8, IKJEFTNS, IKJEFTAP are link-edited into load module IKJTABLS in SYS1.LPALIB, IKJTABLS out of SYS1.LPALIB is used unless IKJTSOxx is found in SYS1.PARMLIB (or its logical concatenation).
If IKJEFTE2, IKJEFTE8, IKJEFTNS, IKJEFTAP, IKJTABLS are in an authorized STEPLIB, then for the general users, SYS1.PARMLIB is used. For the user with the STEPLIB however, the CSECTs are used. This is supported through the following display PARMLIB LIST.

See Using SYS1.PARMLIB member IKJTSOxx and Using CSECTs IKJEFTE2, IKJEFTE8, IKJEFTAP, and IKJEFTNS for details on using either method.