We set up a RACF resource rule to control access to the PACKAGE UTILITY functions. We have discovered that some TSO IDs can still do the package utility RESET command even though the ESITRACE shows the RACF resource rule is called and ‘access is denied’.
Have tested 2 TSO IDs – id USER221 can do the RESET command while USERMIS gets a “PKEX500E PACKAGE PROCESSING DENIED BY SECURITY EXIT RC(000C) RSN(0000)”.
The only difference between the two ids is that USER221 is also in the RACF group ENDVRAPP which is the external approval group for the package element.
Does that negate the SAF call’s RC=0008?