One of the conversation security mechanisms you can implement is controlling access, by user ID, to specific APPC/MVS LUs. Such control is useful when an LU represents a group of related TPs or a transaction scheduler. Through the APPL class, you can control access to an LU through one of two ways:

1. By granting access to only specific users or groups

   This method provides the most restrictive security for the LU, because you begin by prohibiting any access to the LU, and then gradually grant access to specific users on an as-needed basis. Depending on how your installation has defined security profiles for users or groups, and when you determine a user's need to access the LU, this method might require frequent updates to the LU's security information.

2. By prohibiting security_none Allocate requests

   This method provides security for the LU by accepting only those Allocate requests associated with a user ID. As in the first method, you begin by prohibiting any access to the LU, but then grant access to all user IDs at once, through only two commands. In effect, this method prohibits requests with a security_type of security_none from entering the system.

You may use either method to control access to individual LUs, or to all LUs in a VTAM® generic resource group. If an LU is a member of a generic resource group, you must use its generic resource name, instead of its specific name, on the RDEFINE command for the APPL class.

Also, you may use RACF® variables in the APPL definitions, to simplify the task of controlling user access to LUs.