ACF2 logonids with NON-CNCL and SECURITY are allowed access to all resources so access cannot be prevented by using ACF2 resource rules. This can create validations for various resources that provide undesired access. For example, if a user is allowed READ access to the FACILITY resource STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC, the allocation for a data set with an encryption key label that is not extended format fails.  

A SAFDEF record can be INSERTed for the LID or LID mask of NON-CNCL users you wish to block for STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC. Here are the ACF2 commands for this:

ACF
SET CONTROL(GSO)
INSERT SAFDEF.suffix FUNCRET(8) FUNCRSN(0) ID(STGADMIN) MODE(IGNORE) - 
NOAPFCHK RACROUTE(REQUEST=AUTH CLASS=FACILITY ENTITY=STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC) - 
RETCODE(8) USERID(userid)
F ACF2,REFRESH(SAFDEF)

The fields in red can be changed as needed. The rest should remain the same. If multiple users need to be blocked and masking is not possible, then an individual SAFDEF record would need to be created for each user.

For more information regarding writing SAFDEF records, please see the ACF2 documentation section Environments for SAF Calls (SAFDEF).