When setting up security for IBM Z System Automation 4.3, the appropriate ACF2 commands (converted from RACF) are required.

The IBM RACF details are found at:

https://www.ibm.com/docs/en/z-system-automation/4.3.0?topic=configuring-security-authorization

NOTE that the default access is always NO ACCESS in these examples: 

/*-------------------------------------------------------------------/

/* Define resource profiles in class SYSAUTO to control access to 

/* automation resources. 

/* -------------------------------------------------------------------/

/*

RDEFINE SYSAUTO AGT.*.*.RES._CONFIG UACC(NONE) +

DATA('Protects the automation configuration data model')

RDEFINE SYSAUTO AGT.*.*.RES._MANAGER UACC(NONE)+

DATA('Protects control of the Automation Manager in general')

RDEFINE SYSAUTO AGT.*.*.RES._MANAGER.DIAG UACC(NONE) +

DATA('Protects control of the Automation Manager diagnostics')

RDEFINE SYSAUTO AGT.*.*.RES._MANAGER.PACING UACC(NONE) +

DATA('Controls the release function of the INGPAC command')

Component : ACF2 for z/OS

The default resource type for any resource class is the first three characters of the class.  Here the SYSAUTO general resource class is used by SA z/OS.  SYSauto would appear as $TYPE(SYA). The following are sample rules to allow users to access these resources under CA ACF2

$KEY(AGT) TYPE(SYA)

-.RES._CONFIG UID(user allowed access) ALLOW

-.RES._MANAGER UID(user allowed access) ALLOW

-.RES._MANAGER.DIAG UID(user allowed access) ALLOW

-.RES._MANAGER.PACING UID(user allowed access) ALLOW

For complete security details see 

https://www.ibm.com/docs/en/z-system-automation/4.3.0?topic=configuring-security-authorization