Description:

The Xpediter/TSO module issues a RACROUTE AUTH call with STATUS=ACCESS. CA ACF2 considers such a call requesting security definitions to require proper program authorization. IBM does not, allowing this call (with STATUS=ACCESS) to be issued from an unauthorized program.

ACF2 checks for this additional authorization and fails this call because TSO sessions do not run as being APF authorized.

To get around this issue, a SAFDEF needs to be defined to allow this program to issue this RACROUTE call with STATUS ACCESS and to remove the check for proper program authorization (APF requirement).

Solution:

Define a SAFDEF for this RACROUTE AUTH call including the program name and NOAPFCHK as follows:

INSERT SAFDEF.apf PROGRAM(pgmname) RB(pgmname) NOAPFCHK
RACROUTE(REQUEST=AUTH,CLASS=DATASET,STATUS=ACCESS)

where "pgmname" is the Xpeditor program name.

To implement this SAFDEF record, issue:

F ACF2,REFRESH(SAFDEF)