RACF Least Privilege

Hi, I've looked through the documentation for the RACF connector and it says the special privilege is required to be able to administer everything. I want to implement least privilege though. So I have two questions that come from either side of the connector. Exactly what commands are sent to RACF by One Identity for the various operations it can perform? and, this is going into RACF a little so this might not be the best place but, what privileges are required in RACF to enable One Identity to carry out those commands?