When setting up security for IBM Z System Automation 4.3, the appropriate ACF2 commands (converted from RACF) are required.

Component : ACF2 for z/OS

The IBM RACF details are found at:

https://www.ibm.com/docs/en/z-system-automation/4.3.0?topic=configuring-security-authorization

NOTE that the default access is always NO ACCESS in these examples: 

/*-------------------------------------------------------------------/

/* Define resource profiles in class SYSAUTO to control access to 

/* automation resources. 

/* -------------------------------------------------------------------/

/*

RDEFINE SYSAUTO AGT.*.*.RES._CONFIG UACC(NONE) +

DATA('Protects the automation configuration data model')

RDEFINE SYSAUTO AGT.*.*.RES._MANAGER UACC(NONE)+

DATA('Protects control of the Automation Manager in general')

RDEFINE SYSAUTO AGT.*.*.RES._MANAGER.DIAG UACC(NONE) +

DATA('Protects control of the Automation Manager diagnostics')

RDEFINE SYSAUTO AGT.*.*.RES._MANAGER.PACING UACC(NONE) +

DATA('Controls the release function of the INGPAC command')

The default resource type for any resource class is the first three characters of the class.  Here the SYSAUTO general resource class is used by SA z/OS.  SYSauto would appear as $TYPE(SYA). The following are sample rules to allow users to access these resources under CA ACF2

$KEY(AGT) TYPE(SYA)

-.RES._CONFIG UID(user allowed access) ALLOW

-.RES._MANAGER UID(user allowed access) ALLOW

-.RES._MANAGER.DIAG UID(user allowed access) ALLOW

-.RES._MANAGER.PACING UID(user allowed access) ALLOW

For complete security details see 

https://www.ibm.com/docs/en/z-system-automation/4.3.0?topic=configuring-security-authorization