An *08*-88 error is received on an IBMFAC Resource that has been permitted to the acid.

The TSSUTIL Violation Report show the following:

 DATE     TIME   SYSI ACCESSOR JOBNAME  FFM VC PROGRAM  R-ACCESS A-ACCESS SRC/DRC SEC RESOURCE (TYPE & NAME)       JOBID   TERMINAL

-------- -------- ---- -------- -------- --- -- -------- -------- -------- ----- -- --- ---------------- ------------ ------- --------

10/24/19 12:06:25 OS22 acid    ESP      07F    CABSS000 READ     NONE     *08*-88     f ESP.GROUP.acid             S008763         

10/24/19 14:39:31 OS22 acid    ESP      07F    CABSS000 READ     NONE     *08*-88     f ESP.GROUP.acid             S008763

The acid has the following permit:

XAUTH = ESP.GROUP.*  ACID(ESPDEPT )

   ACCESS = UPDATE

CA Top Secret Release : 16.0

z/OS 

Incorrect permit of a resource that is defined with NOMASK.

The IBMFAC Resource is defined by Default as NOMASK.  

MASK (RIE only) supports masking for this resource class.

NOMASK (RIE only) deactivates masking for this resource class.

List the IBMFAC Resource in the RDT and see if it has NOMASK:

 TSS LIST(RDT) RESCLASS(IBMFAC)

RESOURCE CLASS = IBMFAC
RESOURCE CODE = X'066'  
ATTRIBUTE = NOMASK,MAXOWN(44),MAXPERMIT(064) 
ACCESS = NONE(0000),CONTROL(0400),UPDATE(6000),READ(4000)
ACCESS = WRITE(2000),ALL(FFFF)
DEFACC = READ
TSS0300I LIST FUNCTION SUCCESSFUL

If the IBMFAC Resclass has NOMASK, then the violations are correct because the * would be looked at as a literal and not a masking character. This means the actual resource that the permit is for is ESP.GROUP.*. The asterisk is not a masking character in this case; it is literally an asterisk. If the IBMFAC Resclass is defined with NOMASK then you will have to revoke the permits and re-permit them without the asterisk. For example:

TSS REVOKE(acid) IBMFAC(ESP.GROUP.*)
TSS PERMIT(acid) IBMFAC(ESP.GROUP.) ACCESS(UPDATE)

For details see the Top Secret documentation section: Define a Resource to the RDT