For resource CSF-CKDS-DEFAULT, dash '-' is not a delimiter for a resource qualifier in a resource name. Therefore CSF-CKDS-DEFAULT is an unqualified resource name and an extended resource rule key cannot be used, so the entire resource name would be coded in the $KEY, for example: $KEY(CSF-CKDS-DEFAULT).
ICSF services looks for a CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT resource in the CSFKEYS class to determine application access. This control is active only when key store policy checking is active.
To setup RACF profiles and give appropriate users access to the CSF-CKDS-DEFAULT profile in the CSFKEYS class:
RDEFINE CSFKEYS CSF-CKDS-DEFAULT UACC(NONE) WA
PERMIT CSF-CKDS-DEFAULT CLASS(CSFKEYS) ID(group-id) ACCESS(READ)
There is no ACF2 equivalent for RDEFINE because ACF2 protects resources by default.
Since CSF-CKDS-DEFAULT is an unqualified resource name, an ACF2 extended resource rule cannot be used so the entire resource name would be coded in the $KEY. The ACF2 equivalent to the RACF PERMIT would be as follows.
UID(uid string) SERVICE(READ) ALLOW
Note: The resource class CSFKEYS defaults to a TYPE code of SAF. An ACF2 GSO CLASMAP record can be created to map the resource class CSFKEYS to a more unique TYPE code.
Details on ACF2 qualified and un-qualified resource rules can be found in the ACF2 Administrator Guide in Chapter 7: Maintaining Resource Rules, section "Control Statement Descriptions".
Details on the resource class CSFKEYS and the resource CSF-CKDS-DEFAULT can be found in the IBM z/OS Cryptographic Services Integrated Cryptographic Service Facility Administrator's Guide.