Observed a violation and the following in ACFRPTOM after we upgraded to z/OS 2.3:
CA Mainframe Security - z/OS USS Event Log - PAGE 1 DATE xx/xx/xx (1x.1x4) TIME 16.52
SERVICE USERID GROUP UID GID SAF RC RSN
DATE TIME JOBNAME SOURCE SYSID CPU SECLABEL
ck_priv TSSPLDV TSSPMVS 164671 1010 8 8 4
xx/xx/xx 1x.1x4 xx.51.41 TSSPLDV H120 H120
Failed - User not privileged
The userid in question has access to R(UNI) $KEY(SUPERUSER) "FILESYS.-" with SERVICE(READ) ALLOW
As per IBM documentation this is what should be required (as it was working fine with z/OS 2.2):
SUPERUSER.FILESYS.MOUNT on the UNIXPRIV class.
In z/OS 2.3, the mount is done with SETUID and requires UPDATE authority instead of READ.