The startup logonid used in this case has NON-CNCL and SECURITY.  

When removing SECURITY and trying to start the subsystem, the following error occurs:

CAS9800I - ENF-DB2 Interface Initialization in Progress
ACFD2404 - Unable to create ACF2 record directory
ACF0A205 NOT AUTHORIZED TO ACCESS APPLICATION, SYSID, OR RECORD
CADB2001 - DB2 subsystem xxxx will not be protected by CA-ACF2/DB2 1.3 SP00

No violations are seen in the DS report, RV report, ST report, or even a SECTRACE.

The moment SECURITY is added back onto the logonid, the subsystem comes up fine.

What is the possible cause of this?

Release : 1.3

The GSO APPLDEF record for ACF2 for Db2 had the SELAUTH option set to (ACCOUNT AUDIT CONSULT LEADER SECURITY). This parameter indicates what logonid privileges have access to SET and LIST the structured infostorage records. The start-up id will need this access. This type of error does not show up in a report as it's not a SAF call that is performed, it is internal ACF2 code checking for access to the record in the database.

There are two options:

1. Set the SELAUTH option in the GSO APPLDEF record to SELAUTH(ALL) which grants all users access
2. Set one of the privilege bits specified in SELAUTH on the Db2 startup logonid (ie give the logonid ACCOUNT or AUDIT privileges)