Getting unexpected results when using the ACF TEST sub-command with a resource rule.

Receiving this violation :

ACF04056 ACCESS TO RESOURCE TEST.PRODUCT.ABCD.ABC10001 TYPE RFAC BY USERABC NOT AUTHORIZED

ACF2 violation report shows :

REQUESTED RESOURCE                               REC  LOOKUP KEY               
UID                      SOURCE   CPU  MODULE   DISP     DSP-MOD  KEY-MOD  SERV
    DATE     TIME     JNAME    LID      NAME                 PRE RMC INT PST FIN
MLS     USER-SECLABEL RSRC-SECLABEL MODE   SRC     RRC      RSN                
                                                                               
RFAC-TEST.PRODUCT.ABCD.ABC10001             *VIO  RFAC-TEST                 
USERABC OMVSDGRP         STCINRDR sys1 ACF9CAUT NO-RULE     -     DIRECTRY READ
20.034 02/03 15.56    USERABC USERABC COMPANY/LMS    -P    0   0  20   0  16
SAF RESOURCE CLASS FACILITY 

ACF2 rule is coded as follows :

l test                                                                 
 ACF75052 RESOURCE RULE TEST STORED BY xxxxxx ON 02/11/20-16:26        
 $KEY(TEST) TYPE(FAC)                                                 
  PRODUCT.LICENSE.- UID(USERABC) SERVICE(UPDATE) PREVENT 
  PRODUCT.ABC.- - UID(*) ALLOW
  - UID(*) SERVICE(READ) LOG
 ACF75051 TOTAL RECORD LENGTH= 298 BYTES, 7 PERCENT UTILIZED          
 RESOURCE                                                             

Testing rule gives :

test TEST                                               
 .  r(PRODUCT.ABCD.ABC10001) UID(USERABC)           
 ACF71114 THE FOLLOWING PARAMETERS ARE IN EFFECT:      
  DATE=02/14/20 TIME=0856 SOURCE=********  UID=xxxxxxx  
  LID=         ROLE=                                   
                                                       
  TARGET RESOURCE: RFAC TEST.PRODUCT.ABCD.ABC10001   
                                                       
  NO RULE APPLIES IN RESOURCE RECORD TEST TYPE FAC     
                                                       
  RESULT: ACCESS WOULD BE DENIED                       
  REASON: KEY MODIFIED BY DIRECTORY                    

Why does this rule does not permit  UID(USERABC)  access to RESOURCE TEST.PRODUCT.ABCD.ABC10001  TYPE RFAC?

Release : 16.0

Component : CA ACF2 for z/OS

If the SERVICE keyword is omitted, CA ACF2 assumes ALL services. Hence why it denies access since there is no rule that gives all service types.

In order for the TEST command to work properly for resource rules include the service type. To test for read access do the following:

test TEST
. r(PRODUCT.ABCD.ABC10001 ) UID(USERABC) SERVICE(READ)

To test for update access do the following:

test TEST
. r(PRODUCT.ABCD.ABC10001 ) UID(USERABC) SERVICE(UPDATE)

If the SERVICE keyword is mentioned in the TEST command, and is not on the rule line the user will be denied access as well. In order for the TEST command to find the rule line, it must be an exact match for the SERVICE keyword. To test for all access do the following:

test TEST
. r(PRODUCT.ABC.ABC10001 ) UID(USERABC)