PERMIT the ALL record the following:
TSS PER(ALL) IBMFAC(HWI.TARGET.IBM390PS.) APPLDATA(BCPII) ACC(READ)
The PERMIT must be on the ALL record because BCPII issues the FASTAUTH call in 'Cross Memory' Mode.
Because its in cross memory mode, TSS doesn't build an ACEE, so there is no acid associate for the call and failing it causing BCPII not to initialize.
Permitting it to the ALL record allows the security check to pass and BPCII to successfully initialize. We see no security risk Permitting this resource to the ALL record because of hierarchical security checking in BCPII.