How to enable logging for Resource CLASS='TSOAUTH', CLASS='JESSPOOL' or CLASS='WRITER' with LOG=NONE on RACROUTE call.

For example Resource CLASS='TSOAUTH' that grants CONSOLE.

The resource rule for TSOAUTH already has a rule entry with LOG specified:
 
$KEY(CONSOLE) TYPE(TSO)
$USERDATA(TSOAUTH CONSOLE)
 UID(ABCD) LOG DATA(ACF2-TS-000010)
 UID(*) PREVENT DATA(ACF2-TS-000010)

Release : 16.0

Component : ACF2 for z/OS

ACF2 provides an internal SAFDEF with MODE=GLOBAL for the TSOAUTH, JESSPOOL and WRITER resource classes. 

For example, the RACROUTE calls for Resource CLASS='TSOAUTH' specify LOG=NONE and IBM RACROUTE documentation explains the following for LOG=NONE: "suppresses both messages and SMF records regardless of MSGSUPP=NO". 

ACF2 will suppress the SMF records when the RACROUTE call specifies LOG=NONE and there will be no entries in the violation report.  There are two options to enable logging:

1. Put a TRACE bit on a logonid to override the LOG=NONE and the CLASS=TSOAUTH(JESSPOOL or WRITER) calls will be logged, and the entries will appear in the ACFRPTRV report.

2. Change GSO CLASMAP records for TSOAUTH, JESSPOOL or WRITER LOG|NOLOG parameter to force logging.

SET C(GSO)
LIST LIKE(CLASMAP.-)
CHANGE CLASMAP.TSO LOG
F ACF2,REFRESH(CLASMAP)

LOG|NOLOG
Specifies whether ACF2 overrides the LOG parameter on a matching RACROUTE AUTH or FASTAUTH call and treats it as LOG=ASIS. LOG allows logging to SMF for a violation and for rule entries with LOG that are not normally logged because the RACROUTE AUTH or FASTAUTH call specified LOG=NONE, LOG=NOFAIL or LOG=NOSTAT. NOLOG is the default. LOG|NOLOG in the CLASMAP does not affect RACROUTE AUTH or FASTAUTH calls that are logged. NOLOG does not prevent loggings.