There is a permit for ACCESS(READ) for the resource in the ALL Record but the access fails with:

TSS7227E READ Access Not Granted to Dataset ABC.PROD.DEF

The TSSUTIL VIOLATION REPORT SHOWS:

DATE TIME SYSI ACCESSOR JOBNAME FFM VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC RESOURCE (TYPE & NAME) JOBID TERMINAL

-------- -------- ---- -------- -------- --- -- -------- -------- -------- ------- --- ---------------------------- ------- --------

10/12/19 07:45:09 ssss aaaaaa   jjjjjj B F 01 GSSC0001 READ NONE *08*-66 OPN D PROD14  ABC.PROD.DEF J003056 INTRDR  

Release : 16.0

Component : CA Top Secret for z/OS

The 08-66 means that a permit was found but it was not for the correct access level.

You can use TSSSIM to help determine where the permit being used to deny access is located:

=== CMD      ==> $DSN('ABC.PROD.DEF') ACC(READ)                                           

=== RACHECK  ==> TSS7227E READ Access Not Granted to Dataset ABC.PROD.DEF         

              ==> TSS8381I RESOURCE ACCESS DENIED                                               

              ==> REG15   = 08               FDB-RC  = 08           FDB-DRC = 66                

              ==> REQUEST = 4000               ALLOWED = 0000           VOLUME  = 1000          

              ==> REASON  = PERMITTED        *USER*                 RULE #    60                

              ==> VOL-FLG = 00-00-00-00                             SUB-FLG = 00-00-01-40-01    

 === CMD      ==> END 

The above information tells us to look in the USER Record at RULE# 60.   
Found at Rule# 60:

XA DATASET = *.PROD.  OWNER(acid )

    ACCESS = NONE

If you can not use TSSSIM, you can search for the permit in the following acid listing.  But be aware that searching for the data set high level qualifier may not work as in this case because the rule that denied access started with a masking character.
TSS LIST(acid) DATA(ALL,PROFILES)