My experience with VM:Secure Rules has been to control access to a user ID that I control, for example "REJECT AAAAAAA LINK" would block user ID AAAAAAA from linking to my ID.
What rules would I need for user ID AAAAAAA that allows it to only link to account BBBBBBB and blocks it or prevents it from linking to any other user ID?
Create a user rule to allow the LINK.
In user BBBBBB's user rules you would have:
ACCEPT AAAAAAA LINK * * (or whatever link addr and mode you want).
Then, in the SYSTEM DEFAULT (note DEFAULT vs. OVERRIDE system rules) you would have:
REJECT AAAAAAA LINK * *
You can also issue the VMSECURE QRULES command to verify the rules put in.