You can control which users among those who are running non-APF-authorized programs can OPEN the VTAM® ACB associated with a CICS® address space (CICS region). This ensures that only authorized CICS regions can present themselves as VTAM applications providing services with this APPLID, thus preventing unauthorized users impersonating real CICS regions. (Note that the CICS region userid needs the OPEN access, not the issuer of the SET VTAM OPEN command.)
RDEFINE VTAMAPPL applid UACC(NONE) NOTIFY(userid)
PERMIT applid CLASS(VTAMAPPL) ID(cics_region_userid) ACCESS(READ)
The correct CICS APPLID to specify in the VTAMAPPL class is the specific APPLID, as specified in the CICS system initialization parameters. If you are using XRF (that is, if CICS is started with XRF=YES in effect), define two VTAMAPPL profiles—one each for both the active and alternate CICS region's specific APPLID (the second operand on the CICS APPLID startup option).
SETROPTS CLASSACT(VTAMAPPL) RACLIST(VTAMAPPL)
SETROPTS RACLIST(VTAMAPPL) REFRESH