1. The NON-CNCL attribute is never required for a started tasks, however some sites will give NON-CNCL to 'system' started tasks
that they feel are trusted rather than writing rules however the best practice would be to not use NON-CNCL and write rules.
2. Does ENF require UID(0):
If you are securing USS files (HFS/ZFS) with CA TOP SECRET (ENF/USS Interface), the security ID associated with the ENF started task requires:
A superuser ID (UID 0), or the permission to the IBM Facility resource BPX.SUPERUSER.
a valid group ID (GID), home directory, and shell program.
He also needs the permission to the IBM Facility resource BPX.DAEMON, if this resource is defined in the customers environment.
ENF doesn't require UID(0): NO (if not using ENFUSS), then:
The ID associated with the ENF started task must have a valid security OMVS segment defined:
This generally consists of a valid group ID (GID), home directory, and shell program.
The same would apply to ACF2 security product, in fact, UID (0) is optional.