There are two components at play:
- Generation of passticket and
- Evaluation of passticket.
GENERATION of passticket will have the following resource validations.
- If PTKRESCK is set in GSO OPTS record there will always be a resource validation for PTKTGEN resource on a generation request IF THE GENERATION IS DONE ON THE SAME LPAR. If generation occurs off-platform you will not see PTKTGEN validation.
- Validation of IRRPTAUTH resource for UPDATE - ONLY if the generation is performed via the R_Ticketserv or R_Gensec callable services.
EVALUATION of passticket (at signon time) will NOT cause a validation for IRRPTAUTH with READ access because ACF2 does not use the callable services at signon time. Applications that utilize R_ticketserv or R_GenSec callable service to generate or evaluate a PassTicket will cause validations by resources in the PTKTDATA class:
Operation Resource Name Access Required
Generate PassTicket IRRPTAUTH.application.target-userid UPDATE
Evaluate PassTicket IRRPTAUTH.application.target-userid READ