- Here as example we use the follwing definition within the CA Top Secret Resource Descriptor Table (RDT):

TSS ADDTO(RDT) RESCLASS(KLVCLASS) ACLST(READ) ATTR(MASK) 
TSS0300I ADD FUNCTION SUCCESSFUL 

RESOURCE CLASS = KLVCLASS 
RESOURCE CODE = X'01D' 
ATTRIBUTE = MASKABLE,MAXOWN(08),MAXPERMIT(008),ACCESS 
ACCESS = READ(4000) 
DEFACC = NONE 

After that, I cannot give ownership as it follows: 

TSS ADD(DMRSYST) KLVCLASS(TSO-CRA6) 
TSS0240E INVALID RESOURCE NAME 
TSS0301I ADD FUNCTION FAILED, RETURN CODE = 4

- With maskable resource class there are some rules to respect in order to ADD resource that contains masking chars: 

1. Any ADD command must specify a minimum of 2 characters 

2. Any ADD command that contains a masking character must start with a masking character. 

And it follows a kind of implication of these 2 rules: 

3. No resource name that starts with a non-masking character can contain a masking character in the 2nd position. 

- If you want to have more information about masking, go to link:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/setting-up-resource-definitions-and-ownership/resource-ownership/masking