A customized  internal SAFDEF was requested to eliminate the overhead of the CRYPTOZ resource class CLEARKEY validation. The resource validation is seen to be driven by the following RACROUTE call: 

RACROUTE REQUEST=FASTAUTH,REQSTOR='CRYPTO',SUBSYS='CRYPTO',                      
         CLASS='CRYPTOZ',RELEASE=7770,ATTR=READ,DECOUPL=YES,                     
         ENTITYX=('CLEARKEY.SYSTOK-SESSION-ONLY'),LOG=ASIS,MSGSP=0,              
         WORKA=,WKAREA=   

Techdoc page Environments for SAF Calls (SAFDEF) includes the following:

There are SAFDEF restrictions with FASTAUTH processing. When processing a SAF RACROUTE REQUEST=FASTAUTH request, ACF2 recognizes only the following fields of SAFDEF records in determining whether to process or ignore the request:

MODE() SUBSYS=,REQSTOR=,CLASS=

Other fields such as JOBNAME, PROGRAM, RB and RACROUTE(ENTITY=) are ignored.

In effect, FASTAUTH resource validation can be globally enabled or disabled, but cannot be enabled for one set of users or entities and disabled for others.

Due to the above restrictions, a GSO SAFDEF cannot address validations for a specific entity such as $KEY(CLEARKEY). validations - all "CRYPTOZ" -> R-Type  CRY resouce validations would be disabled.