As of z/OS 2.4, IBM will be removing the option of AllowUserKeyCSA(YES) in future, enforcing it to be NO.
A very small number of sites have custom code in an external address space (e.g. CICS) accessing EREs. Although this is most unusual, sites doing this will require the EREs to be in a non fetch-protected sub-pool.
IDMS r19.0 APAR SO07073 was created to implement new functionality so that EREs will be allocated in a non fetch-protected sub-pool.
This will allow sites accessing EREs from custom code running in a CICS address space to continue to function, even with AllowUserKeyCSA(NO).