There are a number of Environment entries available in data set access rules that are not available in Resource Rules. While it is likely that not all of these are applicable to Resource Rules, and those that are may not be applicable to all resource rules, I think that there is a good reason why there should be some additional entries available.
We have a recently imposed audit requirement that we secure VTAM APPLIDs, which ACF2 does. In most cases, the APPLID is opened by the corresponding application, so the rules are relatively simple to write. The problematic ones belong to program products which have pools of APPLIDS which are actually used as virtual terminals. These are opened by the users of the application for which the pool has been assigned. Because the user is going to log on (or has logged on) to the application, we don't really need to validate his right be there. We do care that no rouge application is trying to open one of these APPLIDs. In this case it would be nice if we could write a rule that allowed access to anyone so long as they were opening the APPLID from the expected program.