One person who is setup under ACF2 can send an API to the mainframe and access the Console and another person who is set up like the other one does not get a response back from sending API to the mainframe.  What is needed to debug the issue?

Release : 16.0

Component : CA ACF2 for z/OS

The easiest approach to debug 'console access' problems would be to put the logonid TRACE bit on both logonids, have both users access the console and then run the ACFRPTRV report to see what resource validations are done for each logonid.

If use of the TRACE bit does not identify the cause of the problem, the next course of action would be to use SECTRACE. If this is occurring on a test system an open SECTRACE can be set with a small window to trace all calls just for the console access. It is expected that the calls would be RACROUTE AUTH calls for resource class OPERCMDS however there could be other RACROUTE calls that are involved. For example:

sectrace set,id=mytrace2,trace=all,end

The SECTRACE records can be printed using the ACFRPTST report. Sample JCL follows.

//REPORT  EXEC PGM=ACFRPTST,PARM=('DETAIL')
//SYSPRINT DD SYSOUT=*
//* THE FOLLOWING DDS SHOULD POINT TO THE SMF DATASETS
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN4
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN5
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN6
//*

Another area to investigate are a site's IKJ exits which can impact console access.