The CEBT transaction (the master terminal transaction used to control the alternate CICS system in an XRF environment) is not subject to transaction security checking. This means that any user is authorized to use CEBT. CEBT can only be issued from the operating system console, using the MODIFY command. You can use the OPERCMDS resource class to control who is allowed to use the MODIFY command.
For more information, see Using an MVS system console as a CICS terminal.