Vantage is a started task running with multiple TCBs on a Top Secret system. Vantage allows you to connect via TCP/IP after logging in. In that case, a new TCB(s) is created and the TCB is running under the security profile of the ACID who is connected to the task. The started task runs under a user that has access to all resources. It even has NODSNCHK. When a user who doesn't have access to a dataset tries to edit the data set in ISPF, an error from Top Secret is received and access is denied, which is correct and expected:

TSS7220E 102 J=vantage A=acid VOL=vvvvvv ACC=UPDATE DSN=data.set.name
TSS7227E UPDATE Access Not Granted to Dataset data.set.name

however, if the user logs in to the Vantage task and tries to create a new member in the data set via the host task, the access is granted and the member is created. Top Secret only issues a warning message:

TSS7220W 102 J=vantage A=acid VOL=vvvvvv ACC=UPDATE DSN=data.set.name

The RACROUTE returns RC=0 as if the user was allowed access. It seems that if the action is performed under an address space user that has access to the resource, a user connected to the address space gets the access with a warning message. 

Release : 16.0

Component : CA Top Secret for z/OS

The facility associated with the Vantage started task was in WARN mode. To deny access, put the facility in FAIL mode:

TSS MODIFY FAC(fac=MODE=FAIL)

If FACSTOR(NO) is set, the TSS MODIFY command is only valid until the next recycle of Top Secret. To make the change permanent, change the FAC(fac=MODE=WARN) statement (where 'fac' is the facility associated with the Vantage started task) to:

FAC(fac=MODE=FAIL)