Auditors require WRITE and ALLOC access for IAM files are logged but looking at the ACFRPTDS only ALLOC is getting captured. WRITE access to IAM files are not getting captured in the report.
IAM fields are not normal z/OS datasets. ACF2 uses an intercept in SVC019 (OPEN SVC) and ignores SAF calls for SVC019 with normal datasets. A SAFDEF to validate IAM calls is needed.
A sample SAFDEF:
INSERT SAFDEF.FAIDIAM ID(FAIDIAM) MODE(GLOBAL) RB(SVC019) RACROUTE(REQUEST=AUTH CLASS=DATASET REQSTOR=IAMAVSOC)
Please verify from IAM documentation or from the vendor if that is still the correct SAFDEF.
Another option to check on what the SAF call used to code up the SAFDEF is to run a SECTRACE.