Clarity on SAF Calls made for PassTicket use/generation/validation
search cancel

Clarity on SAF Calls made for PassTicket use/generation/validation


Article ID: 100247


Updated On:


ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC


The doc suggests there there should be possibly THREE SAF calls for each use by an application of a PassTicket:

1. PTKGEN.applid.userid to request permission to generate PassTickets
2. IRRPTAUTH.applid.userid - access UPDATE - to allow generation of PassTicket for this appl/user
3. IRRPTAUTH.applic.userid - access READ - to evaluate PassTicket

What resource validation call are used by applications that utilize a PassTicket?


ACF2 Passticket


There are two components at play:
- Generation of passticket and
- Evaluation of passticket.

GENERATION of passticket will have the following resource validations.
  1. If PTKRESCK is set in GSO OPTS record there will always be a resource validation for PTKTGEN resource on a generation request IF THE GENERATION IS DONE ON THE SAME LPAR. If generation occurs off-platform you will not see PTKTGEN validation.
  2. Validation of IRRPTAUTH resource for UPDATE - ONLY if the generation is performed via the R_Ticketserv or R_Gensec callable services.

EVALUATION of passticket (at signon time) will NOT cause a validation for IRRPTAUTH with READ access because ACF2 does not use the callable services at signon time. Applications that utilize R_ticketserv or R_GenSec callable service to generate or evaluate a PassTicket  will cause validations by resources in the PTKTDATA class:

Operation            Resource   Name                      Access Required
Generate PassTicket  UPDATE
Evaluate PassTicket  READ


Additional Information

See following links for documented details.

Details on  - Control Applications that Invoke the R_xxxxxxx Callable Services