Upgrade from z/OS 2.1 to z/OS.23 of 2 LPARs. Encountering a not authorized issue on one LOGON ID after upgrading z/OS and ACF2:
DFHMQ0758 E 04/16/2022 05:30:07 CICSTASK CKBR 00231 Unable to START bridge task. EIBRESP=69 EIBRESP2=8. Userid CICSUSR is not authorized.
DFHMQ0758 Explanation
The CICS-MQ bridge monitor is being run with the IDENTIFY or VERIFY authorization option. An EXEC CICS START command for the CICS-MQ bridge task failed with NOTAUTH or USERIDERR because the user ID is not authorized to start CICS-MQ bridge transactions or has been revoked.
SECTRACE shows EXTRACT with SFR/RFR= 4/8:8:
SMFID= ADCG TOD= 20:30:07.56 TRACEID= P3 USERID= CICSTASK
JOBNAME= CICSTASK ASID= 00EE PGM= DFHKETCB CURR RB= SVC217
SFR/RFR= 4/8:8 MODE= TASK APF= AUTHORIZED LOCKS= NONE
SAFDEF= GENXTRCT INTERNAL MODE= GLOBAL
RACROUTE REQUEST=EXTRACT,SUBSYS='CICS0690',CLASS='USER',RELEASE=7740,
SUBPOOL=229,BRANCH=NO,DECOUPL=YES,DERIVE=NO,DATEFMT=YYDDDF,
ENTITYX=('CICSUSR'),FIELDS=,FLDACC=NO,GENERIC=ASIS,MSGSP=0,
MATCHGN=NO,TYPE=EXTRACT,WORKA=
Release : 16.0
Component : ACF2 for z/OS
The errors can occur because ACF2 APAR SO05647 was included with the upgrade to z/OS 2.3, and the apar corrects a problem the default OMVS group was being returned with 0/0:0 when no group should be returned with z/OS 2.1 and above. Once SO05647 is applied RACROUTE EXTRACT calls for the default group will fail(as it should) so logonids must have a GROUP defined .
After adding GROUP(OMVSDGRP) to the CICSUSR logonid, recycling the CICS region and running the MQ related transaction the errors(DFHMQ0758 and EXTRACT CLASS=USER SFR/RFR= 4/8:8) no longer occurred.