What can ONLY the MSCA do that another SCA cannot do (even if given the authority if possible)? Another way of stating this is "what are the unique functions" of the MSCA?

For example:

1.  Only the MSCA can create another MSCA
2.  Only the MSCA can run TSSXTEND
3.  Only the MSCA can run TSSMAINT, TSSFAR, etc.

Release : 16.0

Component : CA Top Secret for z/OS

Only the MSCA can:
- Create an SCA ACID. (There can’t be more than 1 MSCA on the security file, so the MSCA can not create another MSCA.)
- Give administrative authorities to an SCA (TSS ADMIN command).
- Move another type of ACID to be type SCA (TSS MOVE(acid) TYPE(SCA) ).
- Add a specific suspend attribute (PSUSPEND, VSUSPEND, XSUSPEND) to an ACID. (This is used for recovery and CPFing suspends to other systems. Administrators with proper authority can add SUSPEND which will ASUSPEND the ACID.)
- Issue a TSS command from the console via F TSS,TSS. This requires the MSCA’s previous password/phrase when replying to the TSS9273A ENTER TSS COMMAND PASSWORD prompt.

It used to be that only the MSCA could:
- LIST ACIDs with DATA(PASS) and see PASSWORD=NOPW.
- Run TSSFAR.
- Run TSSXTEND.

However, there are now CASECAUT resources that can be permitted to an SCA to allow them to do these:
- With TSS r16 PTFs SO10461 and SO10967, an SCA with CASECAUT(TSSCMD.USER.LIST.NOPW) ACCESS(USE) access can list ACIDs with NOPW.
- An SCA with CASECAUT(TSSUTILITY.TSSFAR) ACCESS(USE) access can run TSSFAR.
- An SCA with CASECAUT(TSSUTILITY.TSSXTEND) ACCESS(USE) access can run TSSXTEND.