Command Verifier decides on validity of RACF commands by checking C4R profiles. If access to specific C4R profiles fails, the RACF command will be rejected. Command Verifier never fires up the actual RACF command for rejected commands, so you will not get an ALLCMDS event in SMF.
To see the rejected RACF commands, list resource access violations on XFACILIT C4R profiles. This flags the keyword that failed the command. The command may be found in the LOGSTR field. This analysis is illustrated in Chapter 4, section "Regular access recording through SMF" of the manual.
I understand you would have expected a normal command event record in SMF, indicating a "failed by envelope exit" status, but that is not within scope of command envelope processing. You would have to file an enhancement request.
------------------------------
Rob van Hoboken
------------------------------