An interesting situation. Is there something in particular related to CEMT that the requestor is endeavoring to block? I ask because such a request should also take into account other means of doing CEMT-like things, i.e., the CECI command interpreter and access to CICS SPI (system programmer interface) commands (or via other CICS programs), as well as other programmatic-type interfaces and/or OEM/ISV vendor products that might do the same thing.
As for providing such compartmentalized access in an ACF2 environment - there really are no methods of writing a single resource rule that will behave one way when used on systems A, B, and C - but differently when used on system D. The only environmental elements that might be used within the rule itself might be the UID string itself (if it were different between these systems, a potential problem area in of itself if it were different), or perhaps the SOURCE name (if there were some means to distinguish between a terminal/source on one system to that of a terminal/source from another system.
I should add that you can always write an exit program to handle this type of exception processing, but process clarity and audit procedures may dictate that such an approach not be followed.
Keep in mind that one might be able to still get to the CEMT on the system where it requires special protections from another CICS TOR by means of the CICS routing transaction, CRTE, or, if implicit transaction routing names for CEMT transactions were defined - via such a request (e.g. DEMT being an implicitly routed transaction ID defined on systems A, B, and/or C which route the transaction over to SYSTEM D).
Hope this helps!
Regards,
Dave Hrycewicz
Sr. Principal Software Engineer
CA ACF2 Development
Lisle, IL