And it's not just getting the authorization lists right.
I had to rerun this:
GRTOBJAUT OBJ(RSTOBJ) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)
To me this sounds like IBM has had to make a deliberate attempt to change
the authority of that command to some IBM suggested default. It wasn't
like the other stuff where there was some sync issue between authorization
lists not being there or some such thing.
And it's also not like all commands got changed to *PUBLIC *EXCLUDE.
I think I'll open this one as a separate ticket.