Question:

Is there a way to limit an administrative acid so it can only reset passwords?

Answer:

Do 1 of the following: 

1) TSS ADD(dept) CASECAUT(TSSCMD.USER.REPLACE.PASSWO) (if not already owned) 

The TSS ADD command is limited to 26 character resource names for CASECAUT. 

TSS PER(acid) CASECAUT(TSSCMD.USER.REPLACE.PASSWORD) 

2) Or give the acid MISC8(PWMAINT) admin authority, which authorizes the administrator to do password maintenance on acids within their scope. This will allow the use of the PASSWORD keyword on any command, or the SUSPEND keyword on the REMOVE command, without specifying ACID(MAINTAIN) or MISC1(SUSPEND). 

Additional Information:

Please see the CA Top Secret User Guide for more information on the CASECAUT resource class and the MISC8(PWMAINT) admin authority.