A user who has no access to a dataset is able to edit an empty dataset or new PDS member and make updates, and gets a violation only when trying to save the dataset or member. Why doesn't the violation occur when getting into edit when the dataset is opened?

The violation is ACF99913 ACF2 VIOLATION-04,00,lid, vol, name, dsn, exit RC 04: Write access was attempted.
req 00: The DADSM OPEN issued the request.

When editing an empty dataset or PDS member, the access is not checked, when attempting to save, the violation can occur if the user does not have access.

When going into edit, IBM code detects that the sequential dataset is empty; it bypasses open for input because there is nothing to read; it presents the edit screen and the user data is entered into ISPF working storage; when saved, the dataset is opened for output and ACF2 validation occurs.

There is no security exposure. This is working as expected with an ISPF EDIT of an empty dataset or PDS member.

Details on ACF2 ACCESS rules can be found in the CA-ACF2 Security for z/OS Implementation Planning Guide r12, Chapter 2: System Access, Data, and Resource Access, section "Access Rules".