JES2 Privilege Support documentation mentions RACF requirement to allow user to logon as Privileged user as follows:

After enabling privilege support, the next step (optional, but recommended) is to define a RACF FACILITY profile for the JES2 emergency subsystem. This profile controls which users can logon and submit batch jobs to the JES2 emergency subsystem. The FACILITY class profile is called JES.EMERGNCY.<subsys> where subsys is the subsystem name defined by the ESUBSYS parameter in the MASDEF statement (the default is HASP). After defining the profile, permit the appropriate user IDs (typically support or operations user IDs) to that profile with READ access.

RACF codes...

RDEF FACILITY JES.EMERGNCY.* UACC(NONE) OWNER(MVSSPT) AUDIT(ALL(READ)) NOTIFY(xxxxx)
PE JES.EMERGNCY.* CLASS(FACILITY) ID(MVSSPT) ACC(READ)SETR REFRESH RACLIST(FACILITY)

What is needed with ACF2?

Release : 16.0

Component : CA ACF2 for z/OS

That is a resource rule under the FACILITY class.

$KEY(JES) TYPE(FAC)
EMERGNCY.- UID(uid string of the users) SERVICE(READ) ALLOW

For more information on JES2 Privilege Support, see IBM information here

If you also intend to use the SUBSYS parameter on the LOGON command, you need to apply enhancement PTF SO04448.

ENHANCEMENT DESCRIPTION:                                

Allow the TSO LOGON command SUBSYS parameter to be specified on z/OS 2.3 systems. Note that the SUBSYS parameter can be  specified on the LOGON command but is not displayed on the TSO fullscreen LOGON panel.     
                                                        
Sites that intend to exploit the SUBSYS LOGON parameter  must follow the instructions in the "Secondary JES2 Subsystems" section  on the ACF2 JES2 Interface page to set up ACFRJES2 and ACFUJES2 for the emergency JES2 subsystem.