Why does using the ACF2 TEST command from TSO, ACF or from the ACF2 ISPF ACFTESTR panel get 'NO RULE APPLIES IN RESOURCE RECORD ruleid TYPE xxx' and RESULT: ACCESS WOULD BE DENIED when the rule does grant access?

Usually when this issue occurs, it has to do with the way the resource rule entries are coded using the SERVICE parameter. With the TEST command, when you omit the SERVICE keyword, ACF2 assumes ALL services. This is mentioned in section: Process Resource Rules sub-section 'TEST Subcommand/Keywords':

SErvice(Read,Add,Update,Delete,Execute)
Specifies the type of resource access tested. This access type can be READ, ADD, UPDATE, DELETE, or EXECUTE. Separate multiple access types with blank characters or commas as delimiters. When you omit the SERVICE keyword, ACF2 assumes ALL services. Execute access type does not work with CICS resource.

If the rule entries in the ruleid specify SERVICE, when using the TEST command from the panels or from TSO ACF SERVICE must be specified otherwise the RESULT: ACCESS WOULD BE DENIED occurs.

For example, if there was a rule entry 'ZOSMF ROLE(roletech) ALLOW' coded rather than 'ZOSMF ROLE(roletech) SERVICE(READ) ALLOW' then the TEST command with no SERVICE would work.