A violation is seen with new HFS/ZFS rules, even though the TEST command shows access should be granted.  

Example rule:

$KEY(/usr) TYPE(HFS) 

/lpp/mqm UID(PROD) SERVICE(READ) ALLOW 

/lpp/mqm UID(OPER) SERVICE(READ) ALLOW 

- UID(*) PREVENT

ACF2 resource rule processing considers the period character as a delimiter. This delimiter is used when writing extended resource rules to provide security for resource names of greater than forty characters. Path names, however, use the slash character as a delimiter. Before a file is validated, the path name will have all slash characters (except for the first) translated into a period delimiter. Other special characters will be translated into the dollar sign ($). These include characters that are used as masking characters in resource rules. If not translated, these characters could create undesired results. The special characters include the period, asterisk, dash, plus, blank, and quote. An exit point is provided that can further modify any character to meet special needs, with the exception of the slash character, which will always be translated to a period delimiter.

The example rule should look like this:

$KEY(/usr) TYPE(HFS) 

lpp.mqm UID(PROD) SERVICE(READ) ALLOW 

lpp.mqm UID(OPER) SERVICE(READ) ALLOW 

- UID(*) PREVENT

The ACFRPTRV report can be used to look at the violation and see the translated path name.

Additional examples can be found in ACF2 documentation section Path Name Translation in File Access Security.