Controlling access to applications

If the APPL class for the security product is active, you can use a combination of profiles in the APPL class and the APPL operand on the RACROUTE REQUEST=VERIFY macro to determine which users are allowed to use specified applications as they enter the system. For example, if you do not want all of your users to use certain applications, you can activate the APPL class and create a profile with an access list that contains only those users who are allowed to access these applications.

When specifying a profile, you have two choices: use the OMVSAPPL application ID (APPLID) or create a customized APPLID. In some cases, OMVSAPPL is the value that is always used for the APPLID parameter.

If no customization is done, the following services specify OMVSAPPL for the APPLID value. If the APPL class is active, use of these services can be limited to those users who have access to the OMVSAPPL resource in the CLASS(APPL).

__login
pthread_security_np
__passwd when there is no password or password phrase change specified
__passwd when the calling process did not call pthread_security_np

In certain cases, if you customize the APPLID-related fields in the BPXYTHLI, you can change the value used for the APPLID parameter for these services:

pthread_security_np
__passwd

The following C functions allow the APPLID to be specified other than OMVSAPPL when invoking the service:

__login _applid
__passwd_applid
pthread_security__applid_np

For more information about protecting applications, see Program security modes in z/OS® Security Server RACF® Security Administrator's Guide.