In the example below, under a RACF-secured system, an FTP user is failed for authorization to IRR.DIGTCERT.LISTRING in the FACILITY class and receives the accompanying ICH408I message.
However, under an ACF2-secured system, trying the same access, the same FTP user is failed for authorization but does not receive the expected ACF04056 ACCESS TO RESOURCE NOT AUTHORIZED message.
A SECTRACE shows that the RACROUTE was issued with the MSGSUPP=YES option:
CAS21D0I TRACEID: abc EVENT#: nnnnnnnn
CAS21D0I JOBNAME: jjjjjjjj USERID: uuuuuuuu ASID: 01A9
CAS21D1I PROGRAM: FTP RB CURR: FTP APF: YES SFR/RFR: 8/8:0
CAS21D3I SAFDEF: GENAUTH INTERNAL MODE: GLOBAL
CAS2231I RACHECK *** ESM MESSAGE(S) ***
CAS2232I ACF04056 ACCESS TO RESOURCE IRR.DIGTCERT.LISTRING TYPE RFAC BY uuuuuuuu NOT AUTHORIZED
CAS2200I RACROUTE REQUEST=AUTH,REQSTOR='SAFRT002',CLASS='FACILITY',
CAS2200I RELEASE=1.9.2,STATUS=NONE,ATTR=UPDATE,DSTYPE=N,
CAS2200I DECOUPL=YES,ENTITYX=('IRR.DIGTCERT.LISTRING'),
CAS2200I FILESEQ=0,GENERIC=ASIS,LOG=ASIS,MSGSP=0,MSGSUPP=YES,
CAS2200I TAPELBL=STD,WORKA=
Release : 16.0
Component : CA ACF2 for z/OS
Some software, both IBM and ISV (independent software vendor), provides parameters to override the suppression. For example:
- The SECURITY=YES|NO parm of the JES2 $TDEBUG command controls the message suppress parm on RACROUTE calls issued by JES2.
- CA JOBTRAC has a parm MSGSUPP=YES|NO that changes the RACROUTE call.
ACF2 is working as designed.
More details on the RACROUTE MSGSUPP parameter can be found on the page at
https://www.ibm.com/docs/en/zos/2.5.0?topic=macros-racroute-standard-form