Is role based security required for setup of z/OSMF? 

Are cloud rules required for the setup? 

Configure z/OS Management Facility for ACF2 contains information related to setting up z/OSMF security with ACF2.

Although the documentation and the sample JCL all reference ROLE based security, it is not a requirement.

UID rulesets can be used instead of ROLESET, though.

Example:

SET RESOURCE(ZMC)                                                
RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_POOL.WLM.IYU0 ROLE(ROLEXXX) - 
SERVICE(READ) ALLOW)        

The TYPE(ZMC) rule can be created as a UID ruleset after ascertaining which users would be included  in ROLE ROLEXXX.
If that would be user01, user02 and user03 the rule could be written as

SET RESOURCE(ZMC)                                                
RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_POOL.WLM.IYU0 UID(<user01>) - 
SERVICE(READ) ALLOW)         

RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_POOL.WLM.IYU0 UID(<user02>) - 
SERVICE(READ) ALLOW)

RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_POOL.WLM.IYU0 UID(<user03>) - 
SERVICE(READ) ALLOW)
END
                             

All users would need to be associated with each group/role and then change the rules to be UIDs instead of specifying the role.

Cloud setup is required for v2r3 or above.

The recommended strategy is to start with member the ACFMFSEC in CAX1JCL0 and then add other components as required.