Unauthorized persons should not perform the cryptographic or key management functions that the callable services provide. The security administrator should be the only one able to access some services like those used in managing keys. The security administrator can give access to some services, such as enciphering and deciphering data, to persons who are authorized on the system.
You can use the Security Server (RACF) to control which users can use ICSF callable services. For example, you can use the key export service to export any type of key. Your installation may want only the security administrator to be able to use the key export function.
ICSF provides security exit points that you can use to control access to a callable service instead of Security Server (RACF). For information about the security exit points, see Security installation exits.
Your installation may want other users to just be able to export data keys, because sending encrypted data between systems is a common function. The data key export callable service permits the export of data keys only. Your security administrator can have access to the key export service and can use the Security Server (RACF) to give other users access to the data key export service. For more information on controlling who can use ICSF callable services, see z/OS Cryptographic Services ICSF Administrator's Guide.
Access control points for specific functions may be enabled/disabled through the TKE workstation. See thez/OS Cryptographic Services ICSF TKE Workstation User's Guide for additional information.