Release : 16.0
Component : CA ACF2 for z/OS
Per IBM documentation, CICS will make a RACROUTE call under the APPL class. ACF2 ignores APPL class calls by default. So an override to a SAFDEF is needed. The default CLASMAP for APPL class points to SAF, so that is recommended to be changed also. Since other components of z/OS make APPL calls, a generic rule to allow the access or logging the access should be created. Here are some examples for these changes.
INSERT CLASMAP.APPL ENTITYLN(8) RESOURCE(APPL) RSRCTYPE(APL) LOG
CHANGE INFODIR TYPE(R-RAPL) ADD
INSERT SAFDEF.APPL2 ID(APPL2) MODE(GLOBAL) RACROUTE(REQUEST=AUTH,CLASS=APPL)
At this point the system will still be working as before but making APPL validations and all are allowed. Now APPL rules for CICS regions can be added.
$KEY(eight char CICS region applid) TYPE(APL)
UID(uid string of user allowed to region) ALLOW
UID(-) PREVENT <=== to prevent all other users
This talks about a APPLID in a CICS region.