A PAGENT install is done according to "ACF2 equivalent to the RACF security setup for AT-TLS PAGENT" , however the PAGENT job fails at startup with IEF453I PAGENT - JOB FAILED - JCL ERROR .

In the JOBLOG these messages are seen:

 IGD04900I ATTEMPT TO GET FILE STATUS FOR A HFS FILE FAILED
 RETURN CODE IS (0000006F) REASON CODE IS (EF076015)
 FILENAME IS (/aaa/pagent/pagent.xxx)

 IEF272I PAGENT PAGENT - STEP WAS NOT EXECUTED.

Release : 16.0

The ACFRPTRV report output shows this violation under type FSA at startup:

 RFSA-OMVS.ZOS.xxxx.xxx                          *VIO  RFSA-OMVS        
 uid       STCINRDR TEST ACF9CFAT NO-REC      -        -         UPDT   
   
 23.031 20/01 08.31    PAGENT   PAGENT   TCP/IP POLICY AGENT    0   8   0   0  16  
 SAF RESOURCE CLASS FSACCESS                                            
                                                                      
 RESOURCE NAME: OMVS.ZOS.xxxx.xxx        

The FSACCESS resource class check is an optional high-level check. It was  made available back in zOS 1.12 and 1.13 to reduce IO in zFS implementations. If the user is not authorized to this resource, then no further checking will be performed, and the user will not be allowed access to the zFS, even if they are a superuser.

The output of SHOW UNIXOPTS (from the TSO, ACF prompt)  includes the text "HFS SECURITY ACTIVE: NO".  zFS security is in effect and there are no ACF2 resource rules governing access to the file system. So when the FSACCESS resource validation fails, the job ends in error before zFS security validation occurs.

There are two choices here:

1) The appropriate resource rules are added to allow the FSACCESS validation to succeed - see KD 21731

2) the FSACCESS checking is "turned off" with the following commands at the TSO ACF prompt:

SET CONTROL(GSO)

CHANGE UNIXOPTS BYP-FSA

F ACF2,REFRESH(UNIXOPTS)

ZFS file system setup / considerations for z/OS and ACF2 - New resource class FSACCESS per IBM apar OA35970 / OA35974