If we grant everyone access to IBMFAC "SYSSSM.FUNC" [SYSSSM is the default of Vkgparm SECURPFX] which will allow them to see all objects, will that be the extent of what they get with that permissions?  Would they be allowed to touch a data set?
 

Users with alter access to the resource named SYSSSM.FUNC are granted access to all objects.
This is access to the objects, not to the data sets or Actions.
 
Any object can be secured to limit access to it by defining a Facility name of:  SYSSSM.FUNC.x
(See the additional information, below.)
   
Vkgparm STGADMIN [no default] specifies the Resource Facility name that, if a user has access to it, permission is granted to actions (line commands) for non-tape related objects.
A suggested value is:  STGADMIN (STGADMIN.VANTAGE)
This is suggested because a site may have other STGADMIN.xxx values defined for other purposes.
 
Your normal security rules would secure access to the data sets.

See CA Vantage SRM Reference Guide, 12.6.00, Sixth Edition, topic: Methodology for Defining Access Rules to Objects.
 
If you have any questions, please contact CA Technical Support.