I want to protect NODE under SDF using JESSPOOL class because resource name starts with the NODE name. How it is done under Top Secret?

The JESSPOOL class is to protect Jobs, output groups, and SYSIN/SYSOUT data sets. 

The NODE protection with SDSF is made thru resource ISFNODE.nodename.JESx in SDSF class. 

nodename is the name of the node. 

JESx is the name of the JES subsystem. 

The following command can be issued: 

TSS ADD(owner#) SDSF(nodename) 
TSS PER(acid#) SDSF(nodename.JESx) if the site is using JES2

The following link provides all details about SDSF resources protection. This is an IBM link so the examples are for RACF, but they are very easy to be converted to CA Top Secret commands. 

https://www.ibm.com/docs/en/zos/2.5.0?topic=function-saf-classes-resources-sdsf

E.g: 

RDEFINE SDSF ISFNODE.** UACC(NONE) 
PERMIT ISFNODE.** CLASS(SDSF) ID(userid or groupid) ACCESS(CONTROL) 

gives: 

TSS ADD(owner#) SDSF(ISFNODE.) need to be done only once and then 
TSS PER(acid#) SDSF(ISFNODE.) ACCESS(CONTROL) 

where acid# can be an user acid type or profile acid type. 

-For CA Top Secret r16.0, please refer to the Techdoc JESSPOOL Resource Class—Secure JES Spool Data Sets