The OMVS FASTPATH processing is determined when OMVS initializes. OMVS makes a FASTAUTH call with a resource name of BPX.SAFFASTPATH. If access to this resource is allowed, then OMVS will do permission bit checking internally, and CA ACF2 will not be involved, and there will not be any audit trail done for checking. If your site would prefer to have CA ACF2 do the permission bit checking, and have an audit trail kept in the SMF records and reported on with the ACFRPTOM report, then access should be denied for the BPX.SAFFASTPATH call.
The BPX.SAFFASTPATH call could be allowed because of an ACF2 rule, or because the OMVS address space has NON-CNCL. If OMVS has NON-CNCL, then as documented, the following SAFDEF needs to be added to the system:
INSERT SAFDEF.OEFSTART FUNCRET(4) ID(OEFSTAUT) JOBNAME(OMVS) MODE(IGNORE) RB(BPX-) RACROUTE
(REQUEST=AUTH CLASS=FACILITY ENTITY=BPX.SAFFASTPATH) REP
If OMVS is not running with NON-CNCL, then make sure that the BPX rule is set up to prevent access:
SAFFASTPATH UID(uid for OMVS stc) PREVENT
and this rule must be RESIDENT in ACF2 because the call is a FASTAUTH call.