Per IBM documentation, CICS will make a RACROUTE call under the APPL class.  ACF2 ignores APPL class calls by default.  So an override to a SAFDEF is needed.  The default CLASMAP for APPL class points to SAF, so that is recommended to be changed also.  Since other components of z/OS make APPL calls, a generic rule to allow the access or logging the access should be created. Here are some examples for these changes.

Create a generic rule to allow all access:

$KEY(********) TYPE(APL)
 UID(*) ALLOW

Insert the CLASMAP record and add type APL to the INFODIR:
 
SET CONTROL(GSO)
INSERT CLASMAP.APPL  ENTITYLN(8)  RESOURCE(APPL) RSRCTYPE(APL) LOG
CHANGE INFODIR TYPE(R-RAPL) ADD
F ACF2,REFRESH(CLASMAP)
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(APL)

Next insert a SAFDEF record to override the internal IGNORE SAFDEF:

SET CONTROL(GSO) 
INSERT SAFDEF.APPL ID(APPL) MODE(GLOBAL)  RACROUTE(REQUEST=AUTH,CLASS=APPL,REQSTOR=ACF9CSFV)
F ACF2,REFRESH(SAFDEF)
 
At this point the system will still be working as before but making APPL validations and all are allowed. 

Now APPL rules for CICS regions can be added:

$KEY(eight char CICS region applid) TYPE(APL)
 UID(uid string of user allowed to region) ALLOW
 UID(*) PREVENT                        <=== to prevent all other users