Trying to determine what ACF2 SDSF resource rules control DA commands. Turning on ACF2 rule logging to $KEY(ISFCMD) TYPE(SDF) and reviewed the z/OS V2.4 SDSF Operations and customization. 

The rule is setup: DSP.ACTIVE.-     UID(*) SERVICE(READ) ALLOW

When the user is in DA, issues S FSAD command, nothing shows up.

What ACF2 resource actual checks the commands on the DA panel?

Release : 16.0

Component : ACF2 for z/OS

ACF2 does not drive the resource checks from SDSF, the SDSF code makes RACROUTE REQUEST=AUTH calls for SDSF resources. ACF2 validates the passed resource and passed back applicable return codes to SDSF. We recommend checking with SDSF support to determine if there is a more granular check for the actual command issued from the DA panel other than the documented resource check for resource ISFCMD.DSP.ACTIVE.JES2.

The only RACROUTE REQUEST=AUTH appears to be issued from SDSF from the DA panel for S xxxxxxxx is for the resource ISFCMD.DSP.ACTIVE.JES2. Review of the IBM SDSF documentation did not not result reveal any details or resource checks associated with the specific command 'S xxxxxxxx' only the DA command, nothing more granular.