Here is an issue that was reported by a user trying to set up z/OS Connect API functionality and receiving error message:

CWWKS2909E: A SAF authentication or authorization attempt was rejected because the server is not authorized to access the following SAF resource: APPL-ID BBGZDFLT. Internal error code 0x03008108

[3/17/20 19:37:36:401 GMT] 0000002b id=c9dff7d0 com.ibm.ws.security.saf.SAFExceptioncom.ibm.ws.security.saf.SAFException: CWWKS2909E: A SAF authentication or authorization attempt was rejected because the server is not authorized to access the following SAF resource: APPL-ID BBGZDFLT. Internal error code 0x03008108

[3/17/20 19:37:36:403 GMT] 0000002b id=c9dff7d0 com.ibm.ws.security.saf.SAFException
< getMessage Exit
CWWKS2909E: A SAF authentication or authorization attempt was rejected because the server is not authorized to access the following SAF resource: APPL-ID BBGZDFLT. Internal error code 0x03008108.
[3/17/20 19:37:36:401 GMT] 0000002b id=c9dff7d0 com.ibm.ws.security.saf.SAFException
< <init> Exit 
com.ibm.ws.security.saf.SAFException: CWWKS2909E: A SAF authentication or authorization attempt was rejected because the server is not authorized to access the following SAF resource: APPL-ID BBGZDFLT. Internal error code 0x03008108.

How to determine what resource rule to write for ACF2?

Release : 16.0

Component : CA ACF2 for z/OS

• running the ACFRPTRV for a user
• determining what resource(s) user is trying to access
• write a rule to give appropriate access to the user