Per IBM documentation, CICS will make a RACROUTE call under the APPL class. ACF2 ignores APPL class calls by default. So an override to a SAFDEF is needed. The default CLASMAP for APPL class points to SAF, so that is recommended to be changed also. Since other components of z/OS make APPL calls, a generic rule to allow the access or logging the access should be created. Here are some examples for these changes.
$KEY(********) TYPE(APL) UID(-) ALLOW
SET CONTROL(GSO) INSERT CLASMAP.APPL ENTITYLN(8) RESOURCE(APPL) RSRCTYPE(APL) LOG CHANGE INFODIR TYPE(R-RAPL) ADD F ACF2,REFRESH(CLASMAP) F ACF2,REFRESH(INFODIR) F ACF2,REBUILD(APL)
INSERT SAFDEF.APPL2 ID(APPL2) MODE(GLOBAL) RACROUTE(REQUEST=AUTH,CLASS=APPL) F ACF2,REFRESH(SAFDEF)
At this point the system will still be working as before but making APPL validations and all are allowed. Now APPL rules for CICS regions can be added.
$KEY(eight char CICS region applid) TYPE(APL) UID(uid string of user allowed to region) ALLOW UID(-) PREVENT <=== to prevent all other users