Is is possible to restrict an SCA with ACID(MAINTAIN) or MISC8(PWMAINT) from resetting the password for the MSCA ACID?
In Top Secret R15 and above, to set a new password for the MSCA (using ADDTO or REPLACE), an SCA must have UPDATE access to entity TSSCMD.USER.cmd.MSCAPW in the CASECAUT resource class, where cmd is the command being issued. This authority is required even if the administrator already has ACID(MAINTAIN) or MISC8(PWMAINT) authority. To give this:
TSS ADD(dept) CASECAUT(TSSCMD.USER.cmd.MSCAPW) if not already owned
TSS PERMIT(scaacid) CASECAUT(TSSCMD.USER.cmd.MSCAPW) ACCESS(UPDATE)
where 'cmd' is the command being issued (ADDTO or REPLACE).
See Restricted Administrative Authorities (CASECAUT Resource Class) for more information on the CASECAUT resource class.