You can prevent RACF® users from gaining access to protected resources they are not specifically authorized to access by assigning the RESTRICTED attribute on the ADDUSER or ALTUSER command. See Defining restricted user IDs for more information.

Only the owner of a user's profile (or a user who has the SPECIAL attribute) can assign the RESTRICTED attribute.