The doc suggests there there should be possibly THREE SAF calls for each use by an application of a PassTicket:

1. PTKGEN.applid.userid to request permission to generate PassTickets
2. IRRPTAUTH.applid.userid - access UPDATE - to allow generation of PassTicket for this appl/user
3. IRRPTAUTH.applic.userid - access READ - to evaluate PassTicket

What resource validation call are used by applications that utilize a PassTicket?

ACF2 Passticket

There are two components at play:
- Generation of passticket and
- Evaluation of passticket.

GENERATION of passticket will have the following resource validations.

1. If PTKRESCK is set in GSO OPTS record there will always be a resource validation for PTKTGEN resource on a generation request IF THE GENERATION IS DONE ON THE SAME LPAR. If generation occurs off-platform you will not see PTKTGEN validation.
2. Validation of IRRPTAUTH resource for UPDATE - ONLY if the generation is performed via the R_Ticketserv or R_Gensec callable services.

EVALUATION of passticket (at signon time) will NOT cause a validation for IRRPTAUTH with READ access because ACF2 does not use the callable services at signon time. Applications that utilize R_ticketserv or R_GenSec callable service to generate or evaluate a PassTicket  will cause validations by resources in the PTKTDATA class:

Operation            Resource   Name                      Access Required
Generate PassTicket  IRRPTAUTH.application.target-userid  UPDATE
Evaluate PassTicket  IRRPTAUTH.application.target-userid  READ
 

See following links for documented details.

Details on  - Control Applications that Invoke the R_xxxxxxx Callable Services 

Details on PTKRESCK / NOPTKRESCK