The failing RACROUTE call for the IBM Debug Tool v10.1.0 looks like:
SMFID= <sysid> TOD= 08:05:31.38 TRACEID= DEBUG USERID= <userid> JOBNAME= <jobname> ASID= <asid> PGM= IQIVPI CURR RB= IQIVPI SFR/RFR= N/A MODE= TASK APF= NON-AUTHORIZED LOCKS= NONE
RACROUTE REQUEST=AUTH,CLASS='FACILITY',RELEASE=1.9,STATUS=ACCESS, ATTR=READ,DSTYPE=N,ENTITY=('TOOL.BROWSE.MVS'),FILESEQ=0, GENERIC=ASIS,LOG=ASIS,MSGSP=0,TAPELBL=STD,WORKA=
To avoid the S047 abend an ACF2 GSO SAFDEF can be coded to bypass the APF authorization check for the STATUS=ACCESS RACROUTE call.
The RACROUTE STATUS=ACCESS call permits a user to interrogate security definitions (access and resource rules) to determine access levels for a user. No auditing is done for this request.
In order to maintain system integrity, ACF2 requires that a user be APF authorized to access security definitions. Because the IBM Debug Tool v10.1.0 is not authorized, ACF2 abends the task with an S047 abend.
To accommodate this situation, ACF2 will allow the security administrator to define the specific calls for which the APF authorization check for STATUS=ACCESS will be bypassed.
Users who do not want to use this method should contact the vendor of the product and request that the STATUS=ACCESS call be made in an APF authorized environment.
The bypassing of the authorization check in ACF2 is done through use of the 'NOAPFCHK' keyword added to the GSO SAFDEF record. 'NOAPFCHK' will only be honored for STATUS=ACCESS calls. An example of the SAFDEF used for the IBM Debug Tool v10.1.0 follows:
ACF SET CONTROL(GSO) INSERT SAFDEF.TOOLS PROGRAM(IQIVPI) RB(IQIVPI) NOAPFCHK - RACROUTE(REQUEST=AUTH,CLASS=FACILITY,STATUS=ACCESS)
Details on the ACF2 SAFDEF can be found in the ACF2 Security for z/OS Administrator Guide in Chapter 14: Maintaining Global System Options Records, section "Environments for SAF Calls (SAFDEF)".