Need to temporarily restrict users to READ only access to DATACOM resources which they normally have UPDATE access. There are thousands of users and  no common PROFILE.
What is the easiest Top Secret administrative option to do this? 

Create a PROFILE that will be used to temporarily restrict access to READ for DATACOM resources. Create a user written program to generate TSS commands to add and remove the PROFILE.  The PROFILE must be added as the first profile. Your site must use the AUTH(AVERRIDE,ALLOVER) Control Option.

  Example of tasks:

1)  Run a TSSCMNDB batch job to list out your acids with the following commands:

      TSS LIST(ACIDS) DATA(NAMES) TYPE(USER)
TSS LIST(ACIDS) DATA(NAMES) TYPE(SCA)
TSS LIST(ACIDS) DATA(NAMES) TYPE(LSCA)
TSS LIST(ACIDS) DATA(NAMES) TYPE(DCA)
TSS LIST(ACIDS) DATA(NAMES) TYPE(VCA)
TSS LIST(ACIDS) DATA(NAMES) TYPE(ZCA)

 Top Secret has many types of acids like PROFILE acids, DEPT acids, ZONE acid, DIVISION acids special acids. The above commands will only list out user/admin type acids.

Take the output generated by the TSSCMNDB job convert it to a text file so it can be used as input with a programming language running on a different platform.

2)  Your program will create the following commands:

TSS ADD(xxxxxxx) PROFILE(PROFA) FIRST

to add the PROFILE and:

TSS REMOVE(xxxxxxxx) PROFILE(PROFA)

to remove the profile for each users in the text file.

3)  Then, you will have to transfer that text file back to the mainframe, wrap TSSCMNDB JCL around it and submit it.