In the example below, under a RACF-secured system, an FTP user is failed for authorization to IRR.DIGTCERT.LISTRING in the FACILITY class and receives the accompanying ICH408I message.

However, under an ACF2-secured system, trying the same access, the same FTP user is failed for authorization but does not receive the expected ACF04056 ACCESS TO RESOURCE NOT AUTHORIZED message.

A SECTRACE shows that the RACROUTE was issued with the MSGSUPP=YES option:

CAS21D0I TRACEID: abc      EVENT#:  nnnnnnnn                                                 
CAS21D0I JOBNAME: jjjjjjjj  USERID:  uuuuuuuu   ASID: 01A9                                     
CAS21D1I PROGRAM: FTP      RB CURR: FTP      APF:  YES  SFR/RFR: 8/8:0                      
CAS21D3I SAFDEF:  GENAUTH  INTERNAL MODE: GLOBAL                                            
CAS2231I RACHECK  *** ESM MESSAGE(S) ***                                                    
CAS2232I ACF04056 ACCESS TO RESOURCE IRR.DIGTCERT.LISTRING TYPE RFAC BY uuuuuuuu NOT AUTHORIZED
CAS2200I RACROUTE REQUEST=AUTH,REQSTOR='SAFRT002',CLASS='FACILITY',                         
CAS2200I          RELEASE=1.9.2,STATUS=NONE,ATTR=UPDATE,DSTYPE=N,                           
CAS2200I          DECOUPL=YES,ENTITYX=('IRR.DIGTCERT.LISTRING'),                            
CAS2200I          FILESEQ=0,GENERIC=ASIS,LOG=ASIS,MSGSP=0,MSGSUPP=YES,                      
CAS2200I          TAPELBL=STD,WORKA=                                                        

Release : 16.0

Component : CA ACF2 for z/OS

Some software, both IBM and ISV (independent software vendor), provides parameters to override the suppression. For example:

- The SECURITY=YES|NO parm of the JES2 $TDEBUG command controls the message suppress parm on RACROUTE calls issued by JES2.

- CA JOBTRAC has a parm MSGSUPP=YES|NO that changes the RACROUTE call. 

ACF2 is working as designed.

More details on the RACROUTE MSGSUPP parameter can be found on the page at

https://www.ibm.com/docs/en/zos/2.5.0?topic=macros-racroute-standard-form