Currently one dataset as example,  SYSTEST.-,  There are so many acf2 dataset access rules (various second, third level qualifier etc) defined under the SYSTEST,  it go up to 4 to 5 nextkeys.  If a site has 400 rules defined under SYSTEST,  and a site does not want to repeat those 395 rules in DFP segment and assign the  same "DFP(TEST)" to each one, how can a site just exclude  5 datasets from encryption.

Out of 400, if i need to exclude only 5 rules from the encryption,

SET PROFILE(DATASET) DIVISION(PROFILE)                                       
 PROFILE                                                                    
compile                                                                     
 ACFAB010 ACF PROFILE COMPILER ENTERED
. $KEY(SYSTEST)
. - DFP(TEST)     -> it allow all the datasets (400 rules) to encryption under the highlevel SYSMAINT               
. ACF2.CAI.BKUP  -> if i code without dfp(test), is it mean this particular dataset excluded from the encryption?       
. ACF2.CIA.JCL    
. ACF2.CICS.JCL 
. ACF2.CICS.SYSOUT 
. ACF2.CICSQA.ACFW22

Please advise whether the above rule will work or if there are any other methods to exclude the minimum datasets?

Release : 16.0

Component : CA ACF2 for z/OS

The way to exclude datasets in the compiled PROFILE(DATASET) DIVISION(PROFILE) records is by specifying DFP(XXXXXXX) where there is no DFP Profile record and the dataset will be excluded. If a DFP record does not exist dataset encryption will not be done. For example:

$KEY(SYSTEST)
 - DFP(TEST)     -> it allow all the datasets (400 rules) to encryption under the highlevel SYSTEST               
 ACF2.CAI.BKUP  DFP(XXXXXXX)   
 ACF2.CIA.JCL  DFP(XXXXXXX)    
 ACF2.CICS.JCL  DFP(XXXXXXX) 
 ACF2.CICS.SYSOUTX  DFP(XXXXXXX) 
 ACF2.CICSQA.ACFW22 DFP(XXXXXXX) 

Where XXXXXXX there are no DFP Profile record.