The ACF2 setup for OpenSSH requires an ACF2 USER Profile record for the sshd privilege separation user and an ACF2 GSO STC record for the user ID for the SSHD daemon.
The daemon needs to run under a UID(0) userid and have access to BPX.DAEMON but the spawned tasks need to run under a NON-UID(0) userid and have NO access to BPX.DAEMON.
SET PROFILE(USER) DIV(OMVS)
INSERT SSHD HOME(/var/empty) OMVSPGM(/bin/false) UID(nnn)
where nnn is non-zero
INSERT STC.SSHD GROUP(OMVSGRP) LOGONID(OMVSKERN) STC(SSHD)
Details on the ACF2 OMVS USER Profile record can be found in the ACF2 Administrator Guide, in Chapter 3: Maintaining Logonid Records section "USER Profile Records".
Details on the ACF2 GSO STC record can be found in the ACF2 Administrator Guide, in Chapter 14: Maintaining Global System Options Records section "Started Task (STC)".
Details on the BPX.DAEMON FACILITY resource can be found in the ACF2 Administrator Guide, in Chapter 21: z/OS UNIX System Services Support section "Defining Additional Started Task Logonids".