TPX supports dynamic sessions (access to VTAM applications that are accessible to the VTAM Host that TPX is running on,
 and applications that are not defined in the running ACT). When using this feature only Unique Virtual Terminals are used. 
The TPX administrator can limit who can do dynamic sessions through the Command Authorization Classes.

If there is connectivity to the application, regardless of whether it is defined in TPX, it can be accessed.

To prevent the ability to /a to an application from TPX,  review how your command authorization classes are setup and 
put an 'N' by Activate Sessions under Dynamic Sessions.

TPX: How to Maintain Command Authorization Classes

> TPXADMIN, option 1 User/Group Maintenance, Option 5 Command Authorization Class.

   Select the group and update the appropriate class. The Commands are listed under each class and can be allowed or prevented, 

   shown below is where Dynamic Session activation is turned off.