IBM ICSF Documentation section Configuring CSFSERV Resource Profiles has the following note:

"If you create CSF.CSFSERV.AUTH.CSFOWH.DISABLE or CSF.CSFSERV.AUTH.CSFRNG.DISABLE profiles in the XFACILIT class, the respective SAF checks are disabled, even if the CSFSERV class profiles exist."

What are the commands in ACF2 to achieve this?

Commands:

SET R(XFC)
RECKEY CSF.CSFSERV.AUTH.CSFOWH.DISABLE ADD( )
RECKEY CSF.CSFSERV.AUTH.CSFRNG.DISABLE ADD( )
F ACF2,REBUILD(XFC)

The rules should be empty and look like this:

$KEY(CSF.CSFSERV.AUTH.CSFOWH.DISABLE) TYPE(XFC)

$KEY(CSF.CSFSERV.AUTH.CSFRNG.DISABLE) TYPE(XFC)

Note: The $KEY must be fully qualified due to the presence of MATCHGN=NO on the EXTRACT request. It is a global setting for all users and so no rule entries need to be specified in the rule.

These rules can be used to prevent a SAF security call for some ICSF resources when ICSF specifies CHECKAUTH(YES). Turning off specific security calls by the presence of these rules is usually done for performance reasons. This is a more granular alternative to specifying CHECKAUTH(NO) in ICSF.