Here it is an excerpt of IBM RACF documentation about TSOAUTH class:
You can use RACF® to protect certain TSO resources. These resources include TSO logon procedures, account numbers, and performance groups.
In addition, you can protect resources called TSO user authorities, whose settings determine whether a user can issue certain authorized TSO commands. Examples of TSO user authorities include ACCT, JCL, MOUNT, OPER, RECOVER, PARMLIB, TESTAUTH, and CONSOLE. For detailed information about the TSO resources you can protect with RACF, see z/OS TSO/E Customization.
For TSOAUTH, gives the user the authority to issue the associated authorized TSO command.
For PARMLIB, allows the user to issue the PARMLIB LIST command.
For TESTAUTH, allows the user to invoke a program in authorized state.
What is the correct RDT-definition for resclass TSOAUTH ?
With CA Top Secret the Resource Descriptor Table (RDT) shows it like:
ACCESSORID = *RDT* NAME = RESOURCE DEFINITIONS
RESOURCE CLASS = TSOAUTH
RESOURCE CODE = X'088' POSIT = 124
ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(008),PRIVPGM
TSS0300I LIST FUNCTION SUCCESSFUL
There is no access list and it has always been supplied as it is.
There is no granularity as such with CA Top Secret. In fact, the only difference is with UPDATE For PARMLIB, it allows the user to issue the PARMLIB UPDATE command. For the other profiles, UPDATE is the same as READ. With CA Top Secret you can LIST and UPDATE the PARMLIB.
For pre-defined resource class, only attributes can be changed.
You can access to the link below to have more details about TSOAUTH class with CA Top Secret.