How can I tell who is authorized to use these commands?

There are six categories of privileged commands. Users' access to these commands is configured using UPSMNT60. You may view each user's authority to use these commands by running a report using the UPSLIST utility. A sample of the UPSLIST JCL is in SAMPJCL.

OPER: Allows use of the DEBUG, LIBCACHE, OPERATOR (OPR), RCSTRACE, ROZAP commands, privileged use of MESSAGE command, and the PEEK function.

RPS: Allows use of the privileged operands of the PRINT command.

ACCT: Allows use of the ACCT and RTM commands.

ETSO: Allows use of the privileged operands of the CANCEL, FREE, and QUERY commands.

LIB: Allows use of the privileged commands UPDATE, SAVE, DELETE, RENAME, and ALTER for daily library maintenance, regardless of the way security groups are established.

UPS: Allows use of the privileged command UPSMNTnn.

Note: A user that is enabled to use the UPS privileged commands must also be enabled to use the LIB privileged commands. A user that is enabled UPS privileges cannot enable privileged commands for other users through a UPS ADD or UPS UPDATE command. The privileged command field on the UPSMNTnn panel is protected and has a value of 'N.'; only the owner of the UPS prefix can enable privileged commands to a user.

See How to determine which users and groups have been defined to CA Roscoe? for JCL to run UPSLIST and how to interpret the output.