IAM (an Innovation Data Processing software product) datasets are not being secured by ACF2.
Innovation Data Processing has a software product called IAM (Innovation Access Method) that serves as an alternative to VSAM. Users are able to update IAM datasets bypassing ACF2 Rules.
IAM has its own intercepts to process IAM datasets. ACF2 intercepts the standard IBM (z/OS) OPEN process. When an IAM dataset is accessed, some accesses follow a non-standard IBM OPEN code path, effectively bypassing the ACF2 intercept. IBM OPEN processing also issues a SAF (RACROUTE) call to validate dataset access. ACF2 provides an internal SAFDEF that ignores this RACROUTE call because it would be a redundant validation. This same internal SAFDEF will ignore the IAM RACROUTE call.
IAM documentation states that IAM sites using ACF2 need to insert a SAFDEF call to properly validate IAM accesses. This SAFDEF will override the internal SAFDEF for the RACROUTE calls issued by IAM, ensuring that these accesses are properly validated.
To add the required SAFDEF, issue the following from ACF command mode:
SET CONTROL(GSO) INSERT SAFDEF.IAM MODE(GLOBAL) ID(IAM) RB(SVC019) RACROUTE(REQUEST=AUTH CLASS=DATASET REQSTOR=IAMAVSOC)
To implement this change, a refresh of the SAFDEF records is required:
F ACF2,REFRESH(SAFDEF)