From the CA Top secret scan, below are the deviations generated for some of the CA1 data sets:

Examining resource CAI.xxxxxxx.AUDIT in class DATASET for *ALL* records
  allowing greater than NONE access
+ Found CAI. with access READ which is bad
  Resource CAI.xxxxxx.AUDIT in class DATASET is under AUDIT.  Examining resource CAI.CTAPOPTN in class DATASET for *ALL* records
  allowing greater than NONE access
+ Found CAI. with access READ which is bad
  Resource CAI.CTAPOPTN in class DATASET is under AUDIT.

It is assumed that for "CAI" data sets ALL ACCESS(NONE) should be specified. However, we want to know if changing this access would impact CA1, as one file is the AUDIT file ( CAI.xxxxxx.AUDIT ) which the TMS would use for any purpose and cause an impact if ACCESS(NONE) is specified.   Also, another data set is the "CAI.CTAPOPTN" data set (for example, CA-1 tape pool rules, from which scratch tapes are selected from different tape pools, and are defined in member TMONSMxx).  Will ACCESS(NONE) impact this too? 

Release : 14.0

Component : CA 1 Tape Management

The security scan detected certain CA1 data sets with access of READ when it was assumed that they should be NONE. 

For access to the CA1 Audit, CTAPOPTN, and other CA1 data sets, it is recommended that a UACC of READ be set, and to specifically disallow UPDATE access for everyone.  Update access can then be granted for specific users on a case-by-case, 'as needed' basis.

There are other security access considerations for CA1 where READ or UPDATE access would still be needed for specific users or tasks. 

Some examples where specific users or tasks would be granted UPDATE access, and UNCONDITIONALLY for CA1 resources would include:  

1) Running OAM because of an IBM ATL/VTS or other type of device that uses OAM, OAM should have UPDATE access to YSVCUNCD.

2) Any USERIDs associated with TMSCLEAN and other CA 1 batch jobs.  These would require UPDATE access to YSVCUNCD.

3) If TMSINIT is not authorized to use either the YSVCCOND or YSVCUNCD resource with a service of UPDATE, TMSINIT abends during startup.

And in addition:

1) For access to specific data sets defined in the TMC, certain users can be granted READ or UPDATE access as needed, and this would be at the DATASET level.  It is recommended that UACC (READ) be set for the YSVCCOND resource, and then DATASET level control/rules be established to limit users who are allowed to have either READ or UPDATE access to specific data sets tracked in the TMC. 

See the CA1 Programming manual (section 'CA1 Profiles and Security') for much more info and sample RACF/ACF2/Top Secret commands for implementing CA1 security: 

https://techdocs.broadcom.com/us/en/ca-mainframe-software/performance-and-storage/ca-1-tape-management-system/14-0/programming/ca-1-profiles-and-security.html

CA1 Programming manual (section 'CA1 Profiles and Security') for much more info and sample RACF/ACF2/Top Secret commands for implementing CA1 security: 

https://techdocs.broadcom.com/us/en/ca-mainframe-software/performance-and-storage/ca-1-tape-management-system/14-0/programming/ca-1-profiles-and-security.html