Someone changed an ACF2 'rule'  to cause the following errors,  a rule line was added to resolve this access. 
What audit report should be run to find the culprit?

00A0000 MXC      22343 06:48:15.45 STC27283 00000281  ACF04056 ACCESS TO RESOURCE AAAAAAAA.BBBBBBBB.CCCCCCCC.STC27283.D0000123

                                                      TYPE RSPL BY USER123 NOT AUTHORIZED

Release : 16.0

To review who changed the rule you should run ACFRPTEL.
If the  rule had not been changed back to its original content, there would be an identifier of the user who made the change and the date/time it was done.
As the rule was changed to resolve the problem, the time of the rule change is not known.
Run a report against SMF data from the time that the rule was changed back..
If a new ruleset was needed to be created, run the report from the last known time of a valid rule validation.

ACFRPTEL would be a useful report to run.

 //STEP2  EXEC  PGM=ACFRPTEL,REGION=0M    
//RECMAN1 DD DSN=SYS1.MAN1,DISP=SHR      
//RECMAN2 DD DSN=SYS1.MAN2,DISP=SHR      
//RECMAN3 DD DSN=SYS1.MAN3,DISP=SHR      
//SYSPRINT   DD  SYSOUT=*                
//HEXDUMP    DD  SYSOUT=*                
//SYSIN   DD  *                          
 DETAIL                                  
 CLASS(R)                                
 TYPE(SPL)                               
 ID(AAAAAAAA-)                            
 CHANGES       

Details of ACFRPTEL can be found at this link