With z/OS 1.12, the NETSTAT DROP command appears to be protected because the following RACF error is received with this command:
DROP connection process failed RACF authorization checking
+++ RC(-1) +++
The following CA Top Secret administration is needed to allow the access:
TSS ADD(dept) OPERCMDS(MVS.VARY) (if not already done)
TSS PER(ALL) OPERCMDS(MVS.VARY) ACTION(PASSWORD,FAIL)
(This will cause TSS to pass back a RC of 04 on the security call, similar to if the resource was unowned. This will prevent other commands from failing when OPERCMDS(MVS.VARY) is owned.)
TSS PER(acid) OPERCMDS(MVS.VARY.TCPIP.DROP) ACC(CONTROL) for the users that need access to the NETSTAT DROP command.