NTBL statements (referred to via ICMD/XCMD, IDSP/XDSP,IDSPD/XDSPD)  in the ISFPRMxx member
that includes/excludes job output handling.
 

Ex: In ISFPRMB0
ICMD(TIKODBAQ), 
IDSP(TIKODBAJ), 
IDSPD(TIKODBAJ),

XCMD(EISAA),
XDSP(EISAA),
XDSPD(EISAA)

How would these be handled via Top Secret rules? 

Release : 16.0

Component : Top Secret for z/OS

The NTBL statements from ISFPRMxx do not have any SDSF class translation equivalents 
in either RACF or Top Secret. 

To assist with security in this area use the JESSPOOL resource class.
The NTBL entries primarily identify resources, like job names, to be protected by some 
portion of the job name.  

Maskable resource permissions in the JESSPOOL class are coded as follows:

An example of an INCLUDE permission (for ICMD, IDSP, and IDSPD), to give access to users based on all 
jobs that begin with the letter 'P' 
A permit like this is required:

TSS PER(prof1) JESSPOOL(node.userid.T*) ACCESS(READ)

An example of an EXCLUDE permission (for XCMD, XDSP, and XDSPD), to deny access to users based on all jobs 
that begin with the letter 'P' 
A permit like this is required:

TSS PER(prof1) JESSPOOL(node.userid.T*) ACCESS(NONE)

The above examples are based on the NTBL NAME(TIKODBAJ) NTBLENT STRING(T),OFFSET(1) statement, 
unique permissions to cover all the NTBLENT possibilities are required.  
The full SDSF SAF based security environment will be a combination of SDSF class resource ownerships and permissions and 
JESSPOOL class resource ownerships and permissions to cover all the possibilities that exist in the ISFPRMxx member.