With SDSF security in Top Secret, a user is allowed to ALTER jobs even though the user does not have ALTER access to the JESSPOOL resource. Running TSSSIM against the JESSPOOL resource shows the user is not permitted. 

Release : 16.0

Component : Top Secret for z/OS

If the user is permitted to SDSF(ISFAUTH.DEST.LOCAL.DATASEST.jesfile), where ‘jesfile’ is the JES output file, such as JESJCLIN, JESMSGLG, etc., the check for the JESSPOOL resource is not failed. There is a parameter on the JESSPOOL security call that says check this resource but if this is the userid to be checked, it has access because it has access to SDSF(ISFAUTH.DEST.LOCAL.DATASET.jesfile).

In order to successfully protect a JESSPOOL, permit the resource SDSF(ISFAUTH.DEST.LOCAL.DATASET)  with ACCESS(NONE) to the acid.