Can you permit a CASECAUT resource to ADD or REMOVE a FACILITY from a user.
It appears that in R16, we can only
TSS ADMIN(admin) FACILITY(ALL | facname1,…)
Release : 16.0
Component : CA Top Secret for z/OS
TSS administrative authority to authorize a user to TSS REMOVE or TSS ADD a FACILITY to an acid with the CASECAUT resource class cannot be controlled through authorization to CASECAUT.
The doc at the following link showed the following statement:
"The CASECAUT resource class enables users with no administrative authorities to change certain password-related fields and issue digital certificate, keyring, and token commands for users within their scope."
Please notice it doesn’t mention adding of FACILITYs.