When running PGM=CAESDR:
...
ACF99913 ACF2 VIOLATION-00,03,xxxxxxx,xxxxx,CAI.SAMPJCL,N/A
ACF93913 - TAPE CANNOT BE ACCESSED, AUTHORIZATION IS REQUIRED.
...
IEF472I xxxxxxx LOAD - COMPLETION CODE - SYSTEM=913 USER=0000 REASON=00000000
...
IEB1163E SYSTEM ABEND X'91300000' OCCURRED, TERMINATING IEBCOPY
 

Release:
Component: PANSQL

This happens because data set name security is turned on for tape processing at your site. 
For this reason, the data set name of file 1, which will be the one used at OPEN, may be write protected.
The FILE1DSN option of the CAESDR utility can be used to resolve the problem. 
FILE1DSN can be coded in conjunction with NOVOL to force the file1 data set name to a particular 17 character or less value. 
The file1 data set name will be altered to this value, so any product delivered install sample JCL would need to be updated to reflect the change. 
Example PARM: 
//CRETAPE EXEC PGM=CAESDR,PARM='NOVOL,FILE1DSN=myUserID.INSTALL' 
... 
LABEL should be 1. 

Some more information about ACF2: 
Normally, the CA ACF2 tape data name validation process would not cause a problem - except when tape data set names are longer than 17 characters. 
When tape data set names are longer than 17 characters you run the risk of a validation failure. This can occur because CA ACF2 is passed the last 17 characters from OPEN processing and these last 17 characters is what CA ACF2 uses to validate the data set name. 
There are several solutions to this problem. 
When running with "TAPEDSN" validation processing enabled, you should have CA-1 or TLMS running as well, and you should also have the CA ACF2 "DSNGEN" exit enabled. Tape management products like CA-1 and TLMS keep track of the full 44 character tape data set name and that full data set name is passed by CA-1 or TLMS to CA ACF2 via the DSNGEN exit. This allows CA ACF2 to validate the full 44 character data set name from CA-1 or TLMS rather than the last 17 character data set name it receives from OPEN.