Clarity on SAF Calls made to ACF2 for PassTicket use/generation/validation
search cancel

Clarity on SAF Calls made to ACF2 for PassTicket use/generation/validation

book

Article ID: 100247

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

There there should be possibly THREE SAF calls to ACF2 for each use by an application of a PassTicket:

  1. PTKGEN.applid.userid to request permission to generate PassTickets
  2. IRRPTAUTH.applid.userid - access UPDATE - to allow generation of PassTicket for this appl/user
  3. IRRPTAUTH.applic.userid - access READ - to evaluate PassTicket

What resource validation calls are used by applications that utilize a PassTicket?

Resolution

There are two components at play:

  • Generation of passticket
  • Evaluation of passticket

GENERATION of passticket will have the following resource validations.

  1. If PTKRESCK is set in GSO OPTS record there will always be a resource validation for PTKTGEN resource on a generation request IF THE GENERATION IS DONE ON THE SAME LPAR. If generation occurs off-platform you will not see PTKTGEN validation.
  2. Validation of IRRPTAUTH resource for UPDATE - ONLY if the generation is performed via the R_Ticketserv or R_Gensec callable services.

EVALUATION of passticket (at signon time) will NOT cause a validation for IRRPTAUTH with READ access because ACF2 does not use the callable services at signon time. Applications that utilize R_ticketserv or R_GenSec callable service to generate or evaluate a PassTicket  will cause validations by resources in the PTKTDATA class:

Operation            Resource   Name                      Access Required
Generate PassTicket  IRRPTAUTH.application.target-userid  UPDATE
Evaluate PassTicket  IRRPTAUTH.application.target-userid  READ

 

Additional Information

See following links for documented details.

Details on  - Control Applications that Invoke the R_xxxxxxx Callable Services 

Details on PTKRESCK / NOPTKRESCK can be found in ACF2 documentation section ACF2 Options Specifications (OPTS)