The session authorization exit routine allows you to check or restrict the use of an application program or other LU.

Whenever possible, you should use a session management exit routine rather than a session authorization exit routine to authorize sessions, because a session management routine handles both same- and cross-network sessions and allows you to combine session-related functions into one exit routine. (See Session management exit routine for more information about its capabilities.)

The session authorization exit routine is scheduled only in SSCPs that are in the same domain as one of the LUs. For cross-network sessions, this means that any information provided to the session authorization routine could be misunderstood, because an LU name is not necessarily unique. You can avoid this problem by using the initial and secondary authorization functions of the session management exit routine instead of the session authorization exit routine.

If both the session authorization and session management exit routines exist within the LU's domain, VTAM® calls the authorization exit routine first. If the session authorization exit routine authorizes the session, VTAM calls the session management exit routine; otherwise, VTAM does not call the session management exit routine and session setup is rejected.

For same-network sessions, VTAM calls the session authorization exit routine whenever it receives a request to establish a session between two LUs. For example, VTAM can call the exit as the result of a logon from a terminal, an automatic logon, or a VTAM operator logon. VTAM calls the exit for both the initial logon and all subsequent logons to a controlling application program (that is, one to which the terminal is logged on automatically).

For cross-domain sessions, VTAM calls the session authorization exit routine in each domain (the domain of the PLU and of the SLU) whenever it receives an initiate or cross-domain initiate request.

Failure of the session authorization exit routine to honor session-initiation requests can cause VTAM to authorize sessions that should not be authorized.

You can code the session authorization routine to contain a table of valid sessions against which the session-establishment request can be compared. For example, you can design an application program to establish a session with any LU, using the OPNDST OPTCD=ACCEPT macroinstruction in the application program's LOGON exit routine. The session authorization exit routine can compare the identity of any LU that attempts to establish a session with the application program to entries in such a table to determine whether authorization can be granted for that LU. For example, a particular LU could be authorized only at a particular time of day.

If an application program can establish parallel sessions, the exit routine must be capable of processing more than one request from the same LU-LU pair.

IBM® does not supply a skeleton session authorization routine. If you want this function, write a session authorization exit routine. If you do not write a session authorization exit routine, all sessions are authorized (unless you have written a session management exit routine to authorize sessions).

The topics that follow contain information you need to write a session authorization exit routine.