z/OS Security Server RACF Callable Services
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


RACF authorization

z/OS Security Server RACF Callable Services
SA23-2293-00

For callers not running in system key or supervisor state, the use of R_GenSec is authorized by the resource IRR.RTICKETSERV for function code 1 and IRR.GSSERV for function code 2 in the FACILITY class. The application server must be running with a RACF® user or group that has at least READ authority to this resource. If the class is inactive, or the resource is not defined, only servers running with a system key or in supervisor state may use the R_GenSec service.

For all callers, the use of the R_Gensec service to use PassTicket services (function code 3) is authorized by the resources in the PTKTDATA class that correspond to the application ID and target userid used in the PassTicket operation. The application server must be running with a RACF user or group that has the authority specified in the table below. If the PTKTDATA class is inactive, or the resource is not defined, the request will fail because of insufficient authority. All callers, regardless of PSW key or state, must pass the authorization check. Generic profiles can be used for authorization.
Operation Profile name Required access
Generate PassTicket IRRPTAUTH.application.target-userid UPDATE
Evaluate PassTicket IRRPTAUTH.application.target-userid READ
See z/OS Security Server RACF Security Administrator's Guide for more information about configuring RACF to use PassTicket services.

The PassTicket evaluation function is meant to be used to evaluate PassTicket for users who do not exist in RACF, for example temporary or generated userids. However it can be used with RACF-defined users. There is no revocation of users because of failed password attempts, so you must take care in granting access to the PassTicket evaluation function.

The PassTicket evaluation service only evaluates that a PassTicket is computationally valid for a given userid and application. It does not actually log the user in to the system or create any kind of z/OS® security context for that user.

To log in a user using a PassTicket, use a standard z/OS function such as __login() or RACROUTE REQUEST=VERIFY.

Parent topic: R_GenSec (IRRSGS00 or IRRSGS64): Generic security API interface

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014