Does Pass Ticket work in TPX when the user session has ACLUSER coded?
search cancel

Does Pass Ticket work in TPX when the user session has ACLUSER coded?

book

Article ID: 12063

calendar_today

Updated On:

Products

TPX - Session Management Vman Session Management for z/OS

Issue/Introduction

Does Pass Ticket work in TPX when the user's session field ACL Userid has a value specified? (ACLUSER)

ACL Userid specifies the one- to eight-character user ID that the ACLPGM uses as the &USERID parameter for this session. 

ACL Userid can be specified for a session at the user or profile level.

When a passticket user selects a session that has a userid defined in field ACL Userid, the signon is rejected by TPX and not attempted.  This error is written to the TPX LOG:

TPXL0926 ACLUSER FIELD INVALID FOR PASSTICKET : GEN FAILED
      FOR USERID:  <userid>   SESSION:  TSO      ACLUSER:  USERACL

Pass ticket user is successful for sessions with no ACL Userid.

Password user is successful for sessions with or without an ACL Userid defined.

Environment

  • TPX® Session Management for z/OS
  • Vman Session Management for z/OS

Resolution

No, it would be a serious security breach to allow this.

Pass ticket or qualified pass ticket use is not permitted with a different userid than the userid used to sign on to the product under which the session request is being made.

The authorization is impossible to verify. Session setup fails. 

You must either set the Passticket or Qualified Passticket to No or remove the acluser (ACL Userid) in the session definition.