Plan for security changes to EXECIO restricting the REXX exec for allocating an internal reader
Description
In z/OS V1R13 and earlier for a REXX exec that was running under System REXX (TSO=YES), the exec was able to allocate an internal reader and subsequently invoke EXECIO to submit JCL. As of z/OS V2R1, this function is restricted if the security product (RACF or equivalent) indicates that the invoker does not have authority to the entity JCL.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
Element or feature: | BCP |
---|---|
When change was introduced: | z/OS V2R1 |
Applies to migration from: | z/OS V1R13. |
Timing: | Before the first IPL of z/OS V2R2. |
Is the migration action required? | Yes, if the invoker of the System REXX exec wants to invoke EXECIO to submit JCL. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | None. |
Related IBM Health Checker for z/OS check: | None. |
Steps to take
Permit access to allow the System REXX exec that uses EXECIO to submit JCL for allocating an internal reader. The System REXX exec runs under the security environment as specified by the SECURITY keyword on the AXREXX invocation; the default is the invoker of the AXREXX macro. The invoker of the System REXX exec must have access to the JCL resource in the TSOAUTH resource class.
Reference information
For more information, see z/OS Security Server RACF Security Administrator's Guide.