A type USER ACID was permitted to CASECAUT(TSSCMD.USER.REPLACE.PASSWORD), but when this ACID tried to replace another ACID's password, the following error was received:
TSS0352E ACID NOT OWNED WITHIN SCOPE
Even when using the new class CASECAUT, the administrative rights gained are limited by the scope of the ACID.
I.e. an ACID being type USER only has scope over himself. If the ACID was a DCA, it would have scope over all ACIDs within the department the DCA belongs to.
The CA Top Secret User Guide; Chapter #6 states:
The CASECAUT resource class to enables users with no administrative authorities to change certain password and issue digital certificate keyring and token commands for users WITHIN THEIR SCOPE.
Release: TOPSEC00200-15-Top Secret-Security