Currently one dataset as example,  data1.-,  There are so many ACF2 dataset access rules (various second, third level qualifier etc) defined under the DATA1,
 it go up to 4 to 5 nextkeys.  If a site has 400 rules defined under DATA1,  and a site does not want to repeat those 395 rules in DFP segment and assign the  
|same "DFP(TEST)" to each one, how can a site just exclude  5 datasets from encryption.

Out of 400, if i need to exclude only 5 rules from the encryption,

SET PROFILE(DATASET) DIVISION(PROFILE)                                       
 PROFILE                                                                    
compile                                                                     
 ACFAB010 ACF PROFILE COMPILER ENTERED
. $KEY(DATA1)
. - DFP(TEST)     -> it allow all the datasets (400 rules) to encryption under the highlevel DATA1               
. lvl1.lvl2.DSN1 -> if i code without dfp(test), is it mean this particular dataset excluded from the encryption?       
. lvl1.lvl2.DSN2  
. lvl1.lvl2.DSN3 
. lvl1.lvl2.DSN4
. lvl1.lvl2.DSN5

Please advise whether the above rule will work or if there are any other methods to exclude the minimum datasets?

Release : 16.0

Component : CA ACF2 for z/OS

The way to exclude datasets in the compiled PROFILE(DATASET) DIVISION(PROFILE) records is by
specifying DFP(XXXXXXX) where there is no DFP Profile record and the dataset will be excluded.
If a DFP record does not exist dataset encryption will not be done. For example:

$KEY(data1)
lvl1.  DFP(XXXXXXX)   
 lcl1.lvl2. - DFP(TEST)     -> it allow all the datasets (400 rules) to encryption under the high level data1               

. lvl1.lvl2.DSN1  DFP(XXXXXXX)
. lvl1.lvl2.DSN2  DFP(XXXXXXX)
. lvl1.lvl2.DSN3  DFP(XXXXXXX)
. lvl1.lvl2.DSN4  DFP(XXXXXXX)
. lvl1.lvl2.DSN5  DFP(XXXXXXX)
 

Where XXXXXXX there are no DFP Profile record.