I am trying to work out how security for the automount of zFS file systems works.  I wrote some rules but still get violations.

*ACF99913 ACF2 VIOLATION-08,05,ZFS,dataset.name.ZFS,N/A 
 IEF196I ACF99913 ACF2 VIOLATION-08,05,ZFS,volser, 
 IEF196I dataset.name.ZFS,N/A 
 ACF95913 -AMS/CATALOG FUNCTION SUPPRESSED; AUTHORIZATION IS REQUIRED. 
 IEF196I ACF95913 -AMS/CATALOG FUNCTION SUPPRESSED; AUTHORIZATION IS 
 IEF196I REQUIRED. 
 IOEZ00336I dataset.name.ZFS could not be marked as a zFS 
 aggregate in the catalog, rc=56 rsn=36 
 BPXF013I FILE SYSTEM dataset.name.ZFS 826  WAS SUCCESSFULLY MOUNTED. 

When a zfs is allocated and mounted, the only validation that occurs, for the zfs server, is during the IOEAGFMT format and registration step. Initially you may think that this is an exposure in security, but in fact it is not.  The validation of a user takes place when the user accesses the zFS.  This causes a validation against resource class FSACCESS. If the user does not have access to the FSACCESS resource  ( via $TYPE(FSA) resource rules), the ck_access callable service that checks a user's access to an OMVS files system will prevent access.  The IBM IOEZ00048I error indicates : "After successfully attaching, or formatting a zFS aggregate, a call to the MVS™ catalog service marks AggrName as a zFS aggregate. This operation failed. The return and reason codes are from the MVS catalog service. This failure itself does not prevent the aggregate from being attached or formatted correctly." 

This call will not take place for an HFS.  Normal dataset access validation controls HFS.