What is the purpose of the ACF2 GSO SAFDEF “NOAPFCHK” parameter?  Is it ok to set this parameter, and are there any security concerns in doing so?

STATUS=ACCESS is a keyword used in the RACROUTE REQUEST=AUTH security macro. It permits a user to interrogate security definitions (access and resource rules) to determine the access level for a user. No auditing is performed. 

To maintain system integrity, ACF2 requires that a user be APF-authorized to access security definitions. However, some products that use STATUS=ACCESS are not APF-authorized when they issue the request. The result is that ACF2 abends the task with a S047 from ACF9C000. 

To accommodate products that require to issue a RACROUTE STATUS=ACCESS call from a NON-APF-authorized program/state, ACF2 lets the security administrator define the specific calls for which the authorization check for STATUS=ACCESS will be bypassed. This is done with the NOAPFCHK keyword on a SAFDEF record that describes the specific environment from which 
this call is made. 

Use of this parameter results in a less secure system because it allows a user the ability to create a program which can invoke STATUS=ACCESS requests from an unauthorized environment. 

Since no logging is performed a user could exploit the NOAPFCHK to probe for vulnerabilities in the security permissions. STATUS=ACCESS provides the ability to query the security system for the level of access to a given resource.

Details on the GSO SAFDEF can be found in ACF2 documentation section Environments for SAF Calls (SAFDEF).