The ACF2 SECTRACE utility can be used to verify that the abend is caused by a RACROUTE STATUS=ACCESS call in addition to the program that is making the call.
The SECTRACE can be set from the console as follows.
SECTRACE SET,ID=TEST,TRACE=ALL,FMT=DUMP,DEST=JOBLOB,TYPE=SAFP nn CAS21200 SPECIFY RACROUTE PARAMETERS, CANCEL OR END r nn,REQUEST=AUTH,END nn CAS212210 CONTINUE SAF RACROUTE SPECIFICATIONS, CANCEL, OR END r nn,END nn CAS21100 CONTINUE SECTRACE SPECIFICATIONS, CANCEL, OR END r nn,END CAS21110 SECTRACE SET ON 02.026 13:01:52 ID=TEST
The failing RACROUTE call for the Compuware Abend-AID product looks like:
SMFID= SYSX TOD= 10:20:25.81 TRACEID= T250 USERID= USER01 JOBNAME= T250BDX ASID= 00AB PGM= FDBMSPLU CURR RB= FDBMSPLU SFR/RFR= N/A MODE= TASK APF= NON-AUTHORIZED LOCKS= NONE RACROUTE REQUEST=AUTH,CLASS='DATASET',RELEASE=1.9,STATUS=ACCESS, ATTR=READ,DSTYPE=M,ENTITY=('SYSX.DB2.DSNLOAD'),FILESEQ=0, GENERIC=ASIS,LOG=ASIS,MSGSP=0,TAPELBL=STD,VOLSER='P3LB25', WORKA=
To avoid the S047 abend, an ACF2 GSO SAFDEF can be coded to bypass the APF authorization check for the STATUS=ACCESS RACROUTE call.
The RACROUTE STATUS=ACCESS call permits a user to interrogate security definitions (access and resource rules) to determine access levels for a user. No auditing is done for this request.
In order to maintain system integrity, ACF2 requires that a user be APF authorized to access security definitions. Because the Compuware Abend-AID program FDBMSPLU is not authorized, ACF2 abends the task with an S047 abend.
To accommodate this situation, ACF2 will allow the security administrator to define the specific calls for which the APF authorization check for STATUS=ACCESS will be bypassed.
Users who do not want to use this method should contact the vendor of the product and request that the STATUS=ACCESS call be made in an APF authorized environment.
The bypassing of the authorization check in ACF2 is done through use of the 'NOAPFCHK' keyword added to the GSO SAFDEF record. 'NOAPFCHK' will only be honored for STATUS=ACCESS calls. An example of the SAFDEF used for the Compuware Abend-AID product follows:
ACF SET CONTROL(GSO) INSERT SAFDEF.apf PROGRAM(FDBMSPLU) RB(FDBMSPLU) NOAPFCHK - RACROUTE(REQUEST=AUTH,CLASS=DATASET,STATUS=ACCESS) F ACF2,REFRESH(SAFDEF)
Details on the ACF2 SAFDEF can be found in the ACF2 Security for z/OS Administrator Maintaining Global System Options Records, section "Environments for SAF Calls (SAFDEF)".