We have HFSSEC(ON) and being questioned by auditors regarding entitlements "UID=0 and BPX.SUPERUSER" in our OMVS environment. 

Release :

Component : CA Top Secret for z/OS

When you have HFSSEC(ON), Top Secret control directory access and will override UID(0) and BPX.SUPERUSER....BUT.......UID(0) and BPX.SUPERUSER is not just used for directory access in USS. There are USS commands and functions that require superuser authority. So, there will be instances that superuser authority will be needed, even though you have HFSSEC(ON). Dont recommend removing superuser authority until you validate that the user doesnt really need it based on what they are doing with their acid in USS.