When both volume and data set level access checking are being done, CA Top Secret always performs volume level first. In some cases a request to access a data set is granted or failed strictly on the basis of the ACID's volume access authorizations without checking whether he has specific authorization to access that particular data set.
Volumes checking is only done when the volume is passed.  If the volume is not passed on the call then only dataset checking is done and no volume checking occurs.

The following table shows how volume access authorizations affect an ACID's request to access a data set on that volume:

Authorized Volume      Data Set       Data Set        Data Set         Data Set             

Access:                         Read:          Update:          Create:            Scratch:             

NONE                            FAIL             FAIL               FAIL                  FAIL                 

ALL                               OKAY            OKAY             OKAY               OKAY                 

CREATE                       DSNAME      DSNAME        DSNAME        DSNAME

READ                            OKAY           DSNAME        FAIL                 DSNAME 

Be aware of VSAM datasets where the VOLUME passed is the volume where the catalog resides and NOT where the dataset resides.

If you always want the Data Set access to be checked then you can issue the following commands: 
TSS ADD(msca) VOL(*ALL*(G)) 
TSS PERMIT(ALL) VOL(*ALL*(G)) ACCESS(CREATE) 
The above will give users access to all volumes and continue to do Data Set checking.  The data set rule will have the final say as to whether to grant access or not.