Hi Bob,
SDSF requires that the return code for SDSF(ISFCMD.ODSP.PROCLIB.jesx) auth check to be RC=00. Which means, the resource must be owned/protected (or, that the RDT def for this class must have DEFPROT), and, you need a permission in place to provide the access if the user doesn't have NORESCHK.
You stated that TSSSIM reveals an RC=04, which either means that the resource is not owned, or, that the permission you have in place for it contains the ACTION(PASSWORD) keyword. In either of those 2 cases, you'll get an RC=04 ("not defined to security") on an auth check. To resolve this, you have several choices: 1) own the resource, and PERMIT the access. Or 2) remove the ACTION(PASSWORD) from any permission for this resource that contains that ACTION keyword. or 3) provide a masked permission (like, SDSF(*.ODSP.PROCLIB.jesx) ACC(READ) somewhere that's available to the user. NORESCHK will do it too.
I'm running with DEFPROT on on the SDSF class, so that there will never be an RC=04. (But, DEFPROT isn't something to just indiscriminately add without some planning and discretion to prevent an outage).
Also note that the DEFACC attribute in the RDT for the SDSF class does not in itself provide any access or imply any access available to users. Instead, DEFACC(READ) simply designates the default ACCESS level that will be applied to any TSS PERMIT command for the SDSF class where the ACCESS keyword is omitted.
I hope this info is helpful! Let us know if this resolves the issue!