CA Faver in past release (release 3.x through 4.1) had a User Exit that you would manually update within the product. This was used to manage all security calls.
In the current release of CA Faver (release 4.2 through 4.5) there is an internal module called FVSECURE that is utilized to make all SAF and RACROUTE calls. This method allows CA Faver to work with IBM RACF, CA Top-Secret, or CA ACF2 security packages seamlessly.
CA Faver simply makes the security call at the DEFINE process (Faver uses IDCAMS for DEFINE processing) which would require the userid performing the RESTORE to have access to the file to create the file.
Typically, environments utilize CA Faver as a Storage Administrator or System Programmer utility only. They define a specific system userid that has great access to DEFINE files so that all RESTOREs can be completed. CA Faver is not usually a user accessed utility and allowed to rename files outside a normal userid scope.