A type USER ACID was permitted to CASECAUT(TSSCMD.USER.REPLACE.PASSWORD), but when this ACID tried to replace another ACID's password, the following error was received:
TSS0352E ACID NOT OWNED WITHIN SCOPE
Release: TOPSEC00200-15-Top Secret-Security
Top Secret r16.0
Even when using the new class CASECAUT, the administrative rights gained are limited by the scope of the ACID.
I.e. an ACID being type USER only has scope over himself. If the ACID was a DCA, it would have scope over all ACIDs within the department the DCA belongs to.
The CA Top Secret User Guide states:
The CASECAUT resource class to enables users with no administrative authorities to change certain password and issue digital certificate keyring and token commands for users WITHIN THEIR SCOPE.
In order to have no scope limitations the acid needs to be an SCA.