The SAFDEF= and MODE= line of the SECTRACE output identify the SAFDEF that was used to process the RACROUTE call and the mode you want CA ACF2 to use to process this SAF request.

Solution:

The following is a sample trace record from a SECTRACE:

SMFID= SYS1         TOD= 12:03:41.80    TRACEID= TEST       USERID= DUMPSRV
JOBNAME= DUMPSRV    ASID= 0005          PGM= IEECB926       CURR RB= SVC099
SFR/RFR= 0/20:16    MODE= TASK          APF= AUTHORIZED     LOCKS= NONE 
SAFDEF= GENAUTH  INTERNAL MODE= GLOBAL  
RACROUTE REQUEST=AUTH,CLASS='@MAJOPTS',RELEASE=1.9,STATUS=ACCESS,
          ATTR=READ,DSTYPE=N,ENTITYX=('USER.SYS1.IGGPOST0.DEFAULTS'),
          FILESEQ=0,GENERIC=ASIS,LOG=ASIS,MSGSP=0,MSGSUPP=YES,
          TAPELBL=STD,WORKA= 

The "SAFDEF= GENAUTH INTERNAL" identifies the SAFDEF record that CA ACF2 matched on. The "SAFDEF=" field will display the ID of the SAFDEF used and either GSO or INTERNAL. "INTERNAL" indicates the SAFDEF is defined internally by ACF2. "GSO" indicates that the SAFDEF is site defined by a GSO SAFDEF record. In this example GENAUTH is the ID of a SAFDEF that was defined internally by ACF2.

The "MODE=" specifies the mode that CA ACF2 will use to process this RACROUTE request. The MODE will be one of the following:

MODE     Description
IGNORE   Bypass processing this SAF request
GLOBAL   Process this SAF request with the mode specified in the GSO OPTS record. For generalized resource validations,
         use the CA ACF2 SVCA recommendation to allow or deny the SAF request.
LOG      Process this REQUEST=AUTH call in LOG mode. Upon return of the validation call, allow access even if access is denied. LOG does not force
         logging if a logonid is allowed access.
QUIET    Process this REQUEST=AUTH call in QUIET mode. 

The SHOW SAFDEF and SHOW ALL subcommands will display all SAFDEFs that are actively being used by the system. For example: 

ACF

SHOW SAFDEF 
 -- SYSTEM AUTHORIZATION FACILITY DEFINITIONS --                              
                                                                              
 IBMMFA   JOBNAME=********   USERID=********   PROGRAM=AZFISP64   RB=********
          RETCODE=4          SAFDEF=INTERNAL   MODE=GLOBAL        SUBSYS=-    
          FUNCRET=4          FUNCRSN=0         NOAPFCHK                       
                                                                              
          RACROUTE REQUEST=AUTH,CLASS='FACILITY',STATUS=ACCESS                
                                                                              
 HBRADMIN JOBNAME=DMC1MSTR   USERID=********   PROGRAM=HBRMAIN    RB=********
          RETCODE=4          SAFDEF=GSO        MODE=IGNORE        SUBSYS=****
          FUNCRET=4          FUNCRSN=0                                        
                                                                              
          RACROUTE REQUEST=EXTRACT,CLASS='HBRADMIN'                           

All of the GSO defined SAFDEF can be listed using the TSO ACF command processor. For example:

ACF
SET CONTROL(GSO)
LIST LIKE(SAFDEF-)  
SYS1 / SAFDEF.ABC LAST CHANGED BY USER002 ON 24/11/08-11:28  		    
FUNCRET(4) FUNCRSN(0) ID(TESTABC) MODE(GLOBAL) 
		    
RACROUTE(REQUEST=AUTH CLASS=FACILITY                       
ENTITYX=BPX.DAEMON,PRIVATE) RETCODE(4)   

SYS1 / SAFDEF.ABCD LAST CHANGED BY USER001 ON 15/04/04-09:16 		    
FUNCRET(4) FUNCRSN(0) ID(TESTABC) MODE(GLOBAL)		    
RACROUTE(REQUEST=AUTH CLASS=FACILITY		    
ENTITYX=(BPX.DAEMON,PRIVATE)) RETCODE(4) . . .   . . .

Details on the SECTRACE command can be found in the CA-ACF2 Security for z/OS System Programmer Guide, in Chapter 6: Special Usage Consideration, section "Tracing SAF Requests".

Details on the GSO SAFDEF record can be found in the CA-ACF2 Security for z/OS Administrator Guide, Chapter 14: Maintaining Global System Options Records, section "Environments for SAF Calls (SAFDEF)".