Does TARGET= keyword on a TSS admin command override CPF connections that are setup to pass only password changes and no TSS admin changes?
The purpose of CPF password-only nodes is to allow sites to set up nodes to only receive password changes by default. There was never an intention to prevent TSS commands from being specifically targeted to any defined password-only node.
The only way to get commands to flow to password-only nodes is to specifically name the nodes in the TARGET() keyword. The use of TARGET() can be administratively blocked by disallowing the use of MISC2(TARGET) administrative privilege if that is a concern.