Seeing SYSTEM ACCESS violations with *MISSING ACID for logons with PGM=IKJEFT01 and FACILITY=OPENMVS which are triggered by someone issues TSO commands with 'tsocmd' via SSH.
The JOBNAME field is also always set to the ACID used in the ssh command and appended digit.
This violation is recorded for a successful logon where the TSO command is executed in the shell and the output can be seen.
There is a policy set to capture all of SYSTEM ACCESS violations but also have an exclude policy before it that excludes specific LOG= values.
These violations do NOT get reported in TSSUTIL report that reads the Audit Tracking File.
Why do we see these incorrect violations?
Release : 16.0
Component : CA Top Secret for z/OS