IBM recommends to affect the SYSSTC service class to RACF. What about TOP-SECRET?
While we make no specific recommendations on this, the general idea is that TSS requires more services than any of the address spaces that need TSS services on a regular basis (such as CICS address spaces) but not necessarily as much as address spaces that do not (such as VTAM).
When we talk about requiring TSS services, we are mainly talking about signon activity.
Resource checking is done within an address space and usually does not require TSS services from the TSS address space.
In WLM terms, this is probably closer to the choice of running it as a separate WLM Service Class, although for the most part TSS will need more service than almost anything not in SYSTEM or SYSSTC.
Then, the TSS STC can be run in the SYSSTC WLM class.