Consider whether you want to restrict access to the LU on the local system. RACF® requests coming from remote systems as well as other APPC/MVS traffic are received on this LU. Therefore, you might want to only grant access to those users who need access to this information, such as the local RACF subsystem user ID. You can use the following RACF definitions to control access to the LU:

SETROPTS CLASSACT(APPL)  +  << Required
         AUDIT(APPL)     +  << Optional
         RACLIST(APPL)   +  << Optional, recommended for
                               performance reasons
         GENERIC(APPL)   +  << Optional, recommended

RDEFINE APPL luname UACC(NONE) NOTIFY(administrator)
PERMIT luname CLASS(APPL) ID(userid) ACCESS(READ)

The userid value is the user ID (or associated group name) that the local RACF subsystem is operating under. This definition basically restricts the usage of the LU name to the RACF subsystem.