When running transaction ACF from TCPIP (OTMA) using the following rule the until date was not honoured.

*RESOURCE RULE ACF STORED BY acflid1 ON 26/02/yy-17:03                  
$KEY(ACF) TYPE(ITX)                                                    
$USERDATA(res1 THIS IS THE IMS ACF TRANSACT FOR COMMAND PROCESSING X)                                           
 UID(*****id1) UNTIL(27/02/yy) ALLOW                                   

The rule was updated on 26/2

All the required refresh commands were entered (REBUILD and IMS/ACF commands)

The transaction was entered successfully over TCPIP using logon  acflid1 on 26/02

The userid is "registered" on the link
LOGONID  acflid1    IS SIGNED ON TO THE FOLLOWING LOCATIONS:
        LINK     OTMA                                    
The system left in that state until 28/02/yy

The userid is still "registered" on the link
LOGONID  acflid1    IS SIGNED ON TO THE FOLLOWING LOCATIONS:
        LINK     OTMA      

The transaction was entered again over TCPIP using logonid  acflid1  on 28/02

The transaction was executed successfully           

The transaction was entered over APPC for a verification (had not been entered over APPC previously) a violation was received             

ACFDC040 LOGONID  acflid1    SOURCE XXXXXXXX ACCESS TO TRANSACT ACF        IS DENIED  lpar 
ACF04056 ACCESS TO RESOURCE ACF TYPE res1 BY  acflid1  NOT AUTHORIZED  lpar          

Z/OS

Release: R16

This is related to the OTMA Link TIMEOUT setting.

The link Timeout setting may be set to zero.  If it is zero, the Link User extension associated with the link will be used.  The Link User extension will use the date of the last User validation.  In this case, it would be prior to the UNTIL setting.

The recommendation is to use a value in the TIMEOUT OTMA Link.  With a value set and the TIMEOUT value expired, the Link USER Extension would be rebuilt.

IMS Interface Network Security for OTMA - TIMEOUT