Controlling the opening of a CICS region's VTAM ACB

You can control which users among those who are running non-APF-authorized programs can OPEN the VTAM® ACB associated with a CICS® address space (CICS region). This ensures that only authorized CICS regions can present themselves as VTAM applications providing services with this APPLID, thus preventing unauthorized users impersonating real CICS regions. (Note that the CICS region userid needs the OPEN access, not the issuer of the SET VTAM OPEN command.)

For each APPLID, create a VTAMAPPL profile, and give the CICS region userid READ access. For example:
RDEFINE VTAMAPPL applid UACC(NONE)  NOTIFY(userid)
PERMIT applid CLASS(VTAMAPPL) ID(cics_region_userid) ACCESS(READ) 

The correct CICS APPLID to specify in the VTAMAPPL class is the specific APPLID, as specified in the CICS system initialization parameters. If you are using XRF (that is, if CICS is started with XRF=YES in effect), define two VTAMAPPL profiles—one each for both the active and alternate CICS region's specific APPLID (the second operand on the CICS APPLID startup option).

Note: If your alternate is on another MVS™ image, ensure that the RACF® database is shared, or define the VTAMAPPL profiles in the other system's RACF database.
The VTAMAPPL class must be activated using RACLIST for this protection to be in effect:
SETROPTS CLASSACT(VTAMAPPL) RACLIST(VTAMAPPL)
If the VTAMAPPL class is already active, refresh the in-storage VTAMAPPL profiles with the SETROPTS command:
SETROPTS RACLIST(VTAMAPPL) REFRESH