We set up a RACF resource rule to control access to the PACKAGE UTILITY functions. We have discovered that some TSO IDs can still do the package utility RESET command even though the ESITRACE shows the RACF resource rule is called and ‘access is denied’.

Have tested 2 TSO IDs – USERID1 can do the RESET command  while USERID2 gets a “PKEX500E PACKAGE PROCESSING DENIED BY SECURITY EXIT RC(000C) RSN(0000)”.
The only difference between the two IDs is that USERID1 is also in the RACF group ENDVRAPP which is the external approval group for the package element.

Does that negate the SAF call’s RC=0008?

All Supported Release

Depends on the PKGSEC parameter setting in the C1DEFLTS table. 

If PKGSEC is set to APPROVER or MIGRATE, then yes, the Approver Group security rules override the ESI Package Utility rules.

PKGSEC
Specifies whether users must be part of an approver group to case, or execute, a package.

• APPROVER
  Specifies that the site would like to restrict package actions to package approvers.
• ESI
  Specifies that the site would like to control package options through an external security package such as ACF2 for z/OS, Top Secret, and RACF via the ESI interface.
• MIGRATE
  Specifies that the site is in transition between Approver security and ESI security. Both will be checked.

Note: The approver security rules take precedence over ESI security rules. If the user is granted access to the package by the approver rules, ESI will not be invoked. ESI will be invoked only when the user does not belong to any approver groups associated with the package (If there are no approver groups associated with the package (this is true for ALL packages before they are CAST), no access restrictions apply.)