When there are no SURROGAT resources defined to Top Secret, even in FAIL mode, it is possible for CICS transactions to run with any acid.
The security trace shows RC=04, but SAF requires a return code of x'00' and not a x'04' to CICS, because CICS only understands x'00' or x'08' as SAF code.
x'00' for allowed access
x'08' for failed access
This is why access is allowed.
To prevent access from undefined SURROGAT resources, choose one of the following options:
1) Define the following SURROGAT resource to CA Top Secret and permit it to the *ALL* record:
TSS ADD(dept) SURROGAT(*.DFHSTART)
TSS PER(ALL) SURROGAT(*.DFHSTART) ACTION(FAIL)
2) Add the DEFPROT attribute to the SURROGAT class in the RDT:
TSS REP(RDT) RESCLASS(SURROGAT) ATTR(DEFPROT)
List the SURROGAT class in the RDT to verify:
TSS LIS(RDT) RESCLASS(SURROGAT)