Is it possible to move only 2 of the SDSF group assignments to Top Secret and leave the others in ISFPRMxx? What steps are needed to accomplish this?

Release : 16.0

Component : CA Top Secret for z/OS

You may already have permits in the ALL record for the following:

SDSF(ISFCMD.) ACCESS(ALL) ACTION(PASSWORD,FAIL)
SDSF(ISFATTR.) ACCESS(ALL) ACTION(PASSWORD,FAIL)
SDSF(ISFINIT.) ACCESS(ALL) ACTION(PASSWORD,FAIL)

These were recommended in a PIB (GI18084) from Top Secret 4.4, but these are still valid.

ACTION(PASSWORD,FAIL) on a permit will force a return code of 4 to be returned to SDSF when checking for access to SYSOUT. This will make SDSF honor ISFPARMS or the SDSF user exit, effectively enforcing SDSF security checking as intended.

The first things to do are:

1) Determine what resource names you will be permitting.
2) List the ALL record to see if these permits are there. 

If the above permits are in the ALL record (with ACTION(PASSWORD,FAIL) ), then you can just permit the SDSF resources to the acids (or attached profiles) that are affiliated with the 2 SDSF groups. The other ACIDs will fall through to the permits in the ALL record with ACTION(PASSWORD,FAIL) and should revert to ISFPARMS.