We are doing a review of our ACF2 security rules, and I wanted to check who needs READ/EXEC on the Datacom LOADLIBs and CUSLIBs (used with CA-11, CA-7, CAIENF, and CAIRIM). Do just the STCs need access? Or would users require access as well? If so, would users need READ or just EXEC?

If this exists in the manual, please direct me there. I was unable to find it. 

Component : Datacom/AD

Because both of the Datacom/AD loadlibs contain executable code, access must be at the Execute level and not Read. 

In terms of who needs that access, obviously the Datacom/AD STC/Job needs it, as do any STCs or Jobs that access Datacom. In your case, that would be CA 11, CA 7, and ENF. The CAS9 proc and CAIRIM program fetch and load modules for Datacom, so the user running CAIRIM would need access. In addition, if you have SYSVIEW installed for Datacom use, then issuing any of the SYSVIEW commands for Datacom means that all of those SYSVIEW users need access to the loadlibs.

At the application level, you would need to check with each product to determine which users will need access. Any job that runs Datacom utility or reporting programs would obviously need access, so this would include your production job userids, your systems programming team and database administrators, and anyone else who runs SQL and other reporting jobs against the Datacom databases. For more specific details on the application access, the support or administration team for each of the products would be the best ones to advise on this. Since the hierarchy of job duties and Datacom-related functions varies between products and the companies using those products, we are unable to identify these needs. 

The essence of this answer, then, is that anyone who accesses the Datacom environment directly will need the access to the loadlibs, and the minimum access needed will be Read/Execute. 

As always, please contact Broadcom support for Datacom if you have further questions.