IBM has documented the setup required to address an IZUG846W message in z/OSMF in Allowing cross-site access to REST services. Note that there are additional configuration steps beyond the security manager that need to be completed.

This documentation then points to Enabling cross-origin resource sharing (CORS) for REST services where additional RACF setup may be required depending on the CSRF_SWITCH setting in IZUPRMxx.

This documentation translates the RACF profile into an ACF2 resource rule to allow the request.

A sample ACF2 translation would be:

SET R(ZMF)
RECKEY IZUDFLT ADD(REST.- UID(uid for IZUSVR) SERVICE(READ) LOG)
F ACF2,REBUILD(ZMF)

This would allow any REST interface that is to be allowed for use by any remote site. LOG makes it so access is allowed and an SMF record is cut. An RV report can be run in order to see the exact resource names that are being requested so that more granular rules can be written.