RESTRICTAPPL statement

Use the optional RESTRICTAPPL mapping and security statement to restrict access to the specified application. This statement should be followed by user parameters defining each user who is authorized to use the application. Users are prompted to identify themselves with a password. RACF® or an equivalent security program is used to validate the password. If no user parameters are specified, the application cannot be accessed.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-RESTRICTAPPL--application_name--+----------------+----------->
                                   '-DISCONNECTABLE-'   

>--QSESSion--+------+--+------------------------+--------------->
             '-,sec-'  '-CERTAUTH--ALLOWPRINTER-'   

   .------------------------------------------------.   
   V                                                |   
>----+--------------------------------------------+-+----------><
     '-USER-- –--user_id--+---------------------+-'     
                          | .--------------.    |       
                          | V              |    |       
                          +---LU-- lu_name-+----+       
                          '-LUG-- lu_group_name-'       

Parameters

application_name
The host application name, as specified in VTAMLST.

Single-character position wildcards ( %) are permitted anywhere in the application name and the multi-character wildcard (*) is permitted at the end of an application name. For example, A%CICS®* restricts connections to A1CICS01, A1CICS02, ABCICS4A, and so on. A single * restricts all applications.

DISCONNECTABLE
When DISCONNECTABLE is specified, VTAM® notifies the application to disconnect, rather than log off a user, when the session is dropped.
QSESSion
Indicates this application queues a session request when passing the session to another primary application. When Telnet receives an UNBIND of the new session, Telnet waits for a BIND to reestablish the original queued session.
sec
When QSESSion is coded, this value determines the number of seconds Telnet waits before checking whether a BIND was received. The range is 1 - 99999999. If no BIND is received in the time specified, Telnet stops waiting and continues cleaning up the connection as if QSESSion had not been coded. There is no default value. If sec is not coded, the connection never checks whether a BIND is received. Telnet waits until a BIND is received or the connection is dropped.
CERTAUTH
Specifies to use the derived User ID based on the SSL Client Certificate (enhanced LU mapping support for dynamic IP environments) and skips the Restrictappl password validation process. If Express® Logon is being used, the User ID returned from security lookup for the latest Client Certificate/Applid combination is used. If not using Express Logon, the User ID returned at initial connection time from security lookup for just the Client Certificate is used.
ALLOWPRINTER
Specifies that any printer connection matching this RESTRICTAPPL statement is treated as if it matched an ALLOWAPPL statement. No user ID or password is requested. Printer emulators do not support user ID and password requests. The ALLOWPRINTER parameter gives you the ability to have terminal connections and printer connections mapped on a single RESTRICTAPPL statement. However, the printer connections exist at the lower security level that is provided by the ALLOWAPPL statement.
USER user_id
The user ID, one to eight characters long. Single-character wildcards (%) are permitted anywhere in the user name and the multi-character wildcard (*) is permitted at the end of the user name. A single * allows all users.
LU LU_name
The logical name of the Telnet terminal LU. This parameter allows you to optionally specify which terminal LUs can be used to establish a session with the named VTAM host application.
LUG LU_group_name
The name of an LUGROUP or PRTGROUP. This option allows you to specify an LUGROUP or PRTGROUP, where any LU in the group can be used to establish a session with the named VTAM host application. If the same name defines both an LUGROUP and a PRTGROUP, the LUGROUP is used. The group can be a new group consisting of a combination of names or range list names from existing LUGROUPs and PRTGROUPs. This allows both terminals and printers to be on the same RESTRICTAPPL-USER statement.

Usage notes

  • LU and LUG keywords are mutually exclusive. If both are specified in any order, only the LUG is processed. If multiple LUG keywords are specified, only the last is accepted and processed.
  • Applications that do CLSDST Pass also require a RESTRICTAPPL or ALLOWAPPL statement for the target application.
  • If the LU assigned to the connection is defined in LU groups mapped by both a LUG statement and an LUMAP/PRTMAP statement, neither LU group can be defined as an LU exit.
Parent topic: Telnet mapping statements in the Telnet profile