Define at least four RACF user IDs for API consumer roles - For each: CICS transaction authority, VSAM file access, DB2 privileges - Document the SAFCredentialMapper configuration (OAuth scope to RACF user ID) - Explain least-privilege rationale for each role