ACF2 logonids with NON-CNCL and SECURITY are allowed access to all datasets and resources so access cannot be prevented to the File Manager MQ FACILLITY class resource FMNMQ.DISABLE.system_name using ACF2 resource rules.

Release : 16.0

Component : CA ACF2 for z/OS

Since ACF2 logonids with NON-CNCL and SECURITY are allowed access to all datasets and resources so access cannot be prevented to the File Manager MQ FACILLITY class resource FMNMQ.DISABLE.system_name using ACF2 resource rules.

To prevent logonids with NON-CNCL or SECURITY access to the File Manager MQ FACILLITY class resource FMNMQ.DISABLE.system_name the following SAFDEF can be used.

ACF
SET CONTROL(GSO)
INSERT SAFDEF.FMMQ FUNCRET(20) FUNCRSN(0) ID(FMMQ) MODE(IGNORE) - 
NOAPFCHK RACROUTE(REQUEST=AUTH CLASS=FACILITY ENTITY=FMNMQ.DISABLE.system_name) - 
RETCODE(0) USERID(*******)
F ACF2,REFRESH(SAFDEF)

For details see IBM File Manager for z/OS V14.1 documentation Section: Disabling Websphere MQ feature by system name.