Defining servers to use thread-level security

When the profile BPX.SERVER is defined, there might be two authorization checks:

The first check authorizes the use of the pthread_security_np() service.
The second check authorizes for whom the server can establish a security context. This check establishes the scope of users for whom the server can act as a surrogate. See Defining servers to process users without passwords or password phrases for the steps required to enable servers to act as surrogates for their clients when a password or password phrase is not specified on the pthread_security_np() service.

You can also use the BPX.SERVER profile to set the scope of z/OS resources that the server can access when acting as a surrogate for its clients. There are two levels of authority that can be granted to the server using thread-level security services:

UPDATE access
Lets the server establish a thread-level (task-level) security environment for clients connecting to the server. When the RACF® identity of the server has been granted UPDATE authority to BPX.SERVER in the RACF FACILITY class, the server is capable of acting as a surrogate for the client. This means that the identity of the thread associated with the request from the server's client runs with the z/OS user ID of the server's client. Access control decisions to z/OS resources (such as data sets) and to z/OS UNIX resources (such as UNIX files) which are accessed by the client's thread in the server are made using the RACF identity of the client.
READ access
Lets the server establish a thread-level security environment for the clients that it services. However, the user ID of the server and the user ID of the client must be authorized to the resources which the server will be accessing. A thread-level security context in which both the client's and server's identity is used in the access control decision and a password or password phrase was not supplied by the client is called an unauthenticated client security context.

Depending on the design and implementation of the client/server application, a client might have to supply an authenticator to the server. For example, the client might be prompted to supply a password, password phrase, or a password substitute, such as a RACF PassTicket to the server to prove its identity. If a RACF password, password phrase, or PassTicket is specified as a parameter on the pthread_security_np() service, and the password, password phrase, or PassTicket is valid for the client user ID, even if the server's identity has been granted READ access to the profile BPX.SERVER in the RACF FACILITY class, the task level security environment is only used in access control decisions. That is, only the RACF user ID of the client is used in making access control decisions. This task level security environment created by a server is called an authenticated client security context. Because the client has trusted the server sufficiently to supply a RACF password, password phrase, or PassTicket to the server, the server is granted the capability of acting as a surrogate for that client (user).