In some cases, only certain LU names are eligible to be in session with the host application. Or only certain LU names are eligible to represent user IDs. The LU and LUG parameters on the ALLOWAPPL and RESTRICTAPPL statements provide this checking function and allow some LU name mapping based on application name. The LUG parameter can represent either an LUGROUP, a PRTGROUP, or a group that is a mixture of terminal and printer LUs so that both terminal and printer emulators can access the application. If single LUs are specified, they are assumed to be terminal LUs.
For example, assume the only LUs eligible to use the inventory set of applications are the LUs in the inventory LU pools. A new LUGROUP pool named LUGINVT contains LUs from LUGINV1, LUGINV2, and LUGINV3. The ALLOWAPPL statement requires that any session request to the inventory applications have an LU name defined in LUGINVT. The LUG parameter must be used carefully. When specified, Telnet must match the LU using both the common mapping algorithms and the mapping by application. For RESTRICTAPPL, assume security authorization is required to get to the PAYROLL application, and each of the PAYxx user IDs must map to a certain LU.
LUGROUP LUGINV1 LUINV01..LUINV20 ENDLUGROUP
LUGROUP LUGINV2 LUINV21..LUINV40 ENDLUGROUP
LUGROUP LUGINV3 LUINV41..LUINV60 ENDLUGROUP
LUGROUP LUGINVT LUINV01..LUINV60 ENDLUGROUP
ALLOWAPPL INVENTR* LUG LUGINVT
RESTRICTAPPL PAYROLL
USER PAY01 LU LUPAY01
USER PAY02 LU LUPAY02
(user pay03 through pay20 not listed)
The LU group specified on the LUG parameter cannot be an LU exit. If it is, the ALLOWAPPL statement is rejected. Multiple LUs can be assigned individually using the LU keyword or a single LU group can be assigned using the LUG parameter. LU and LUG cannot be mixed on a single statement and only one LUG entry per statement is permitted. LU assignment based on application is a convenient way to limit the access to applications. However, this increases mapping complexity significantly when LU mapping statements and connection types are part of the overall mapping equation. Non-TN3270E connections or TN3270E connections with NOTN3270E or SIMCLIENTLU specified do not keep the LU name assigned to the connection after a session is dropped. For these connection types, the user can establish a session with different application names even if different LU names are mapped to the application names with the ALLOWAPPL or RESTRICTAPPL-USER statement. However, LU mapping that is based on application name does not work well with TN3270E connections because the LU is assigned during connection negotiation before the correct application name is known. In all CLSDST-PASS cases, the LU name cannot change when switching from the first application to the second because the LU's ACB is not closed during the switch. If the LU mapping by application name requires an LU name switch, the new session attempt will be failed by Telnet.
ALLOWAPPL TSO* LUG LUGTSO
ALLOWAPPL CICS LUG LUGCICS
ALLOWAPPL IMS LUG LUGIMS
RESTRICTAPPL APP*
USER USER1* LUG LUG10
USER USER01 LU LU01
USER USER02 LU LU02
DEFAULTLUS
LU1 LU2 LU3 LU4
ENDDEFALTLUS
RESTRICTAPPL APPL1
USER USER3 LU LU3
ALLOWAPPL APPL2 LU LU4
If LU name mapping by application name or user ID is wanted with TN3270E clients, the following three solutions are available: