Your installation can use the Security Server RACF or an equivalent product to control who can use ICSF callable services or key labels. Prior to using an ICSF callable service or a key label, ask your security administrator to ensure that you have the necessary authorization. For more information, see z/OS Security Server RACF Security Administrator’s Guide.

HCR7751 and later supports a key store policy using the RACF XFACILIT class. See z/OS Security Server RACF Security Administrator’s Guide.

RACF does not control all services. The usage notes topic in the callable service description will highlight those services which are not controlled.