The CA Spool SFTP driver requires some special authorizations for the CA Spool started task userid and creators of files to be transferred using this protocol.
Release : 14.0
Component : CA Spool
Besides the requirements from the link below when RACF is used as the external security package:
The following requirements apply only when RACF is used as the external security package.
Program Control is required by RACF when using the SFTP print driver. All members of any loadlib in STEPLIB or LNKLIST that may be used by CA Spool must be program controlled, including the IBM C runtime loadlib and the CA Spool loadlib. This may also include loadlibs required by the Connect:Direct, SAR, XCOM and MQM print drivers if those print drivers are in use. This also includes any PDS allocated by the IMAGELIB DD statement, because CA Spool uses the load svc on any FCB used during output processing. If no IMAGELIB DD statement exists in the CA Spool proc, SYS1.IMAGELIB is used by default.
The CA Spool task userid and any user who will send files to CA Spool must have access to the programs under RACF Program Control.
SFTPSEC=RACF must be added to the DRIVPRMn parameters for any NODE using the SFTP print driver."
Also, for RACF the userid of the CA Spool started task must have UID=0.
There are also these requirements that apply to any external security package:
"For the SFTP driver to work properly, the CA Spool started task userid and the file owner's userid using the SFTP driver require read access to the BPX.SERVER and BPX.DAEMON resource profiles in the FACILITY class."