After following instructions for DISA STIG ACF2-JS-000080, access is not being denied for the DENY rules written for the JESINPUT class. Nothing shows up on the ACFRPTRV report for the resource type that was created.

Release : 16.0

Component : ACF2 for z/OS

There is an ACF2 internal SAFDEF called APPL that tells ACF2 to ignore the request for the JESINPUT resource class. In order to override this SAFDEF and activate validation for the JESINPUT class, the following SAFDEF will need to be created:

ACF
SET C(GSO)
INSERT SAFDEF.JESINPUT ID(JESINPUT) MODE(GLOBAL) RACROUTE(REQUEST=AUTH CLASS=JESINPUT  REQSTOR=ACF9CSFV)
F ACF2,REFRESH(SAFDEF)                                                       

To comply with the STIG, the same user id has to exist on both systems in order for JESINPUT to validate properly. Otherwise, ACF2 will use the DFTLID specified in the GSO NJE record. If nothing is specified for DFTLID in the NJE record, ACF2 will then try to use the DFTLID specified in the GSO OPTS record. If that also does not exist, it is unable to find a suitable logonid and will substitute ++++++++ for the logonid.