When starting a CICS region status server the following error is seen: 

DFHCF0512  RACROUTE REQUEST=FASTAUTH for resource TESTPLEX gave R15=00000008,SAFPRRET=00000008,SAFPRREA=00000000.                                     
DFHCF0513  Attempt to open table TESTPLEX was rejected by the external security manager.

What is causing this problem, and how can it be fixed?

Release : 16.0

Component : CA ACF2 for z/OS

The description of message DFHCF0512 states the following

DFHCF0512      RACROUTE REQUEST=FASTAUTH for resource resource gave R15=rc, SAFPRRET=retcode, SAFPRREA=rsncode.      
                                                        
Explanation:  A coupling facility data table OPEN, SET  or DELETE security check gave a non-zero return code.   
This message indicates the resource name used for the   check, the RACROUTE register 15 return code and the     
external security manager return and reason codes  returned in the SAF request parameter list.             
                                                        
System action:   Access to the table is rejected with   message DFHCF0513.                                      
                                                        
User response: See the documentation of the  RACROUTE macro with REQUEST=FASTAUTH in                 
z/OS Security Server RACROUTE Macro Reference  (GC28-1922) for the explanation of the return and       
reason codes.                                           
                                                        
Module: DFHCFXS   

description of message DFHCF0513 is as follows

DFHCF0513      Attempt to open table table was rejected  by the external security manager.          
                                                          
Explanation:  A security check was performed by the       
coupling facility data table server to determine whether  
the connected region was allowed to open the named        
table, and the external security manager indicated that   
access was not allowed.                                   
                                                          
System action:   The table open request is rejected.      
                                                          
User response:   See the preceding message                
DFHCF0512 for the specific reason that access was         
rejected. Check that the correct table name was           
specified. Ensure that the client region is authorized to 
access the resource matching the table name (prefixed     
by the server region userid if SECPRFX=YES was            
                                                          
specified) in the CICS file resource class (usually       
'FCICSFCT').                                              
                                                          
Module: DFHCFXS                                           

The FCICFCT violoation is occurrimg outside of ACF2/cics and needs a rule for type SAF
(a different TYPE can be assigned by adding a clasmap record in ACF2 Control(GSO) )

The violation was for UPDATE access.
The resource class is FCICSFCT  
The resource name in the validation is TESTPLEX
RSAF-TESTPLEX                                            *VIO RSAF-TESTPLEX
CICSUIDCICS1 STCINRDR SYS2 ACF9CFAT NO-REC - DIRECTRY UPDT
20.191 07/09 12.53 CIC1JOB CICS1TEST CICS REGION              0 8 0 0 16
SAF RESOURCE CLASS FCICSFCT
RESOURCE NAME: TESTPLEX