The RACF user ID for DFSMShsm

DFSMShsm must be able to bypass RACF® during migration and backup of user data sets. You must, therefore, define DFSMShsm to RACF and give it the necessary level of authority. You do this by defining an entry in the RACF started-procedures module ICHRIN03, which contains the DFSMShsm startup procedure name and a user ID that you define to RACF by an ADDUSER command. Do not define this user ID with the automatic data set protection (ADSP) attribute.

The following is an example of the RACF command you can use to define DFSMShsm to RACF. 
ADDUSER (hsmid) DFLTGRP (grpname)
In this example, hsmid is the user ID specified in the RACF started-procedure module ICHRIN03 , or the RACF user ID associated with the DFSMShsm STARTED class profile. The default group name is not important, but if it is not specified, RACF sets it to the current connect group of the user issuing the command.
Notes:
  1. The user who issues the ADDUSER command must have the RACF SPECIAL attribute.
  2. The UID parameter in the DFSMShsm startup procedure is not related to the RACF user ID.
  3. If you are using remote sharing functions (RRSF) to propagate RACF commands to remote hosts, it is suggested that the RACF user ID for DFSMShsm be defined with the SPECIAL and OPERATIONS attributes on all recipient systems.
  4. It is recommended that you define the RACF user ID for DFSMShsm with the OPERATIONS and SPECIAL attributes to ensure that HSM has the proper settings and its functions do not modify the ACEE.