Upgrade from z/OS 2.1 to z/OS.23 of 2 LPARs. Encountering a not authorized issue on one LOGON ID after upgrading z/OS and ACF2:

DFHMQ0758 E 04/16/2022 05:30:07 CICSTASK CKBR 00231 Unable to START bridge task. EIBRESP=69 EIBRESP2=8. Userid CICSUSR is not authorized.

DFHMQ0758 Explanation
The CICS-MQ bridge monitor is being run with the IDENTIFY or VERIFY authorization option. An EXEC CICS START command for the CICS-MQ bridge task failed with NOTAUTH or USERIDERR because the user ID is not authorized to start CICS-MQ bridge transactions or has been revoked.

SECTRACE shows EXTRACT with SFR/RFR= 4/8:8:

  SMFID= ADCG         TOD= 20:30:07.56    TRACEID= P3         USERID= CICSTASK
  JOBNAME= CICSTASK   ASID= 00EE          PGM= DFHKETCB       CURR RB= SVC217
  SFR/RFR= 4/8:8      MODE= TASK          APF= AUTHORIZED     LOCKS= NONE
  SAFDEF= GENXTRCT INTERNAL MODE= GLOBAL
   
  RACROUTE REQUEST=EXTRACT,SUBSYS='CICS0690',CLASS='USER',RELEASE=7740,
           SUBPOOL=229,BRANCH=NO,DECOUPL=YES,DERIVE=NO,DATEFMT=YYDDDF,
           ENTITYX=('CICSUSR'),FIELDS=,FLDACC=NO,GENERIC=ASIS,MSGSP=0,
           MATCHGN=NO,TYPE=EXTRACT,WORKA=

Release : 16.0

Component : ACF2 for z/OS

The errors can occur because ACF2 APAR SO05647 was included with the upgrade to z/OS 2.3, and the apar corrects a problem the default OMVS group was being returned with 0/0:0 when no group should be returned with z/OS 2.1 and above. Once SO05647 is applied RACROUTE EXTRACT calls for the default group will fail(as it should) so logonids must have a GROUP defined .

After adding GROUP(OMVSDGRP) to the CICSUSR logonid, recycling the CICS region and running the MQ related transaction the errors(DFHMQ0758 and EXTRACT CLASS=USER SFR/RFR= 4/8:8) no longer occurred.