z/OS Security Server RACF Callable Services
z/OS Security Server RACF Callable Services
Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
RACF authorization z/OS Security Server RACF Callable Services SA23-2293-00 |
||||||||||
For servers not running in system key or supervisor state, the use of R_ticketserv service to manipulate GSS-API context tokens is authorized by the resource IRR.RTICKETSERV in the FACILITY class. The application server must be running with a RACF® user or group that has at least READ authority to this resource. If the class is inactive, or the resource is not defined, only servers running system key or supervisor state may use the R_ticketserv service. For all callers, the use of R_ticketserv service to use PassTicket
services is authorized by resources in the PTKTDATA class which correspond
to the application ID and target userid used in the PassTicket operation.
The application server must be running with a RACF user or group that has the authority specified
in the table below. If the PTKTDATA class is inactive, or the resource
is not defined, the request will fail due to insufficient authority.
All callers, regardless of PSW key or state, must pass the authorization
check. Generic profiles may be used for authorization.
The PassTicket evaluation function is meant to be used to evaluate PassTicket for users who do not exist in RACF, for example temporary or generated userids, however it can be used with RACF defined users. There is no revocation of users due to failed password attempts, so care must be taken in granting access to the PassTicket evaluation function. The PassTicket evaluation service only evaluates that a PassTicket is computationally valid for a given userid and application. It does not actually log the user in to the system or create any kind of z/OS® security context for that user. To log in a user using a PassTicket, use a standard z/OS function such as __login() or RACROUTE REQUEST=VERIFY. 
|
 Copyright IBM Corporation 1990, 2014 |
