JES2 Privilege Support documentation mentions RACF requirement to allow user to logon as Privileged user as follows:
After enabling privilege support, the next step (optional, but recommended) is to define a
RACF FACILITY profile for the JES2 emergency subsystem. This profile controls which users can logon and submit batch jobs to the JES2 emergency subsystem. The
FACILITY class profile is called
JES.EMERGNCY.<subsys> where subsys is the subsystem name defined by the
ESUBSYS parameter in the MASDEF statement (the default is HASP). After defining the profile, permit the appropriate user IDs (typically support or operations user IDs) to that profile with READ access.
RDEF FACILITY JES.EMERGNCY.* UACC(NONE) OWNER(MVSSPT) AUDIT(ALL(READ)) NOTIFY(xxxxx)PE JES.EMERGNCY.* CLASS(FACILITY) ID(MVSSPT) ACC(READ)SETR REFRESH RACLIST(FACILITY)
What is needed with ACF2?
Release : 16.0
Component : CA ACF2 for z/OS
That is a resource rule under the FACILITY class.
EMERGNCY.- UID(uid string of the users) SERVICE(READ) ALLOW
For more information on JES2 Privilege Support, see IBM information here
If you also intend to use the SUBSYS parameter on the LOGON command, you need to apply enhancement PTF SO04448.
Allow the TSO LOGON command SUBSYS parameter to be
specified on z/OS 2.3 systems. Note that the SUBSYS
parameter can be specified on the LOGON command but
is not displayed on the TSO fullscreen LOGON panel.
Sites that intend to exploit the SUBSYS LOGON parameter
must follow the instructions in the "Secondary JES2
Subsystems" section of the ACF2 documentation to set up
ACFRJES2 and ACFUJES2 for the emergency JES2 subsystem.