User IDs with NON-CNCL privilege shows ACF2 violation message in syslog and ACFRPTDS, but, the SEC-VIO count in logon ID does not appear to increase. Why does IDs with NON-CNCL privilege throw ACF2 dataset access violation error message. ACF2 test command shows access is allowed.

SYSLOG Messages:
ACF99913 ACF2 VIOLATION-04,02,XXXLID,COLXXX,xxxx.xxxx.xxxx.xxxxx,N/A 
'IF ACCESS TO THIS RESOURCE IS REQUIRED, CONTACT THE ACF2 ADMINISTRATOR,

TSO, ACF, List of the logonid:
list XXXLID
  XXXLID                          JXXXLID DEFAULT LID  
                       DEPT(1000) ENTRPRZ(CH) FUNCRESP(S) JOBRESP(J) 
                       LOCATION(PD) REAL-LOC(4015)                        
  PRIVILEGES           NON-CNCL STC
  STATISTICS           CRE-TOD(00/00/00-00:00) SEC-VIO(471)  

Release:
Component: ACF2MS

With NOVSAMFAIL set in Ruleopts record of the GSO, ACF2 will issue a violation message, but WILL NOT FAIL the actual validation but will instead take the existing WARN message in GSO and display it.

If the validation 'should be' allowed, update the rules to allow it. When all rules are corrected, then change Ruleopts record NOVSAMFAIL to VSAMFAIL by issuing the following command  to start enforcing the previously allowed VSAM OPEN requests. 

F ACF2,REFRESH(RULEOPTS)

A NON-CNCL userid will only report logging on a possible violation and you will not see a ACF99913.
NON-CNCL userid will now behave as expected.
 

Review : CA ACF2 Rule option Specifications (RULEOPTS)