z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Determining PTKTDATA profile names

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

A PTKTDATA class profile name can consist of one of the following:
  • An application name only
  • An application name appended (or qualified) by a RACF® connect group name
  • An application name qualified by a RACF user ID
  • An application name qualified by both a RACF connect group name and a RACF user ID.

When the profile name consists of the application name and one or two qualifiers, the qualifiers are separated by a period. When a RACF connect group name and a RACF user ID are used as qualifiers, the group name must be appended to the application name and the user ID must be appended to the group name.

According to this rule, the name structures in the following list can be used as profile names in the PTKTDATA class. Any other name structures will be ignored. In this example, the application name is TSO1234, the user's current connect group name is SYS1, and the user ID is IBMUSER:
  1. An application name concatenated with a RACF group name and user ID: TSO1234.SYS1.IBMUSER
  2. An application name concatenated with a RACF user ID: TSO1234.IBMUSER
  3. An application name concatenated with a RACF group name: TSO1234.SYS1
  4. An application name: TSO1234

When PassTicket generation is done by the RACF secured signon PassTicket generation service, only profiles with name structure 4, the unqualified application name, are used. All other name structures are ignored.

When PassTicket evaluation occurs, multiple profiles can exist that fit the particular application, user, and group specification. When multiple profiles exist, RACF processing is as follows:
  1. Assuming there is at least one qualified profile, RACF selects one qualified profile name according to the precedence shown in the previous list (items 1, 2, and 3).

    The first qualified profile found using this search precedence is selected and RACF evaluates the PassTicket using this key. Any other profiles with qualified names are ignored.

  2. If no qualified name is found, or the evaluation using the key within the qualified profile is not successful because the key is not correct, RACF searches for a profile using only the application name. If such a profile exists, RACF evaluates the PassTicket using the key contained within this profile.

Depending on the application (APPC, CICS®, IMS™, MVS™ batch, TSO, or VM), the secured signon function uses a specific method for determining profile names in the PTKTDATA class. If your application is other than those listed, see Other applications.

Note: Check with your system programmer to see if your installation is using RACF exit ICHRIX01 to modify the application name that RACF uses during user verification processing. If so, the application name used to determine the PTKTDATA class profile name for APPC, CICS, IMS, MVS batch, TSO, or VM applications must match the application name ICHRIX01 selects.

For example, if the ICHRIX01 exit places the character string TSO1234 in the application name position of the exit parameter list, the application name position of the PTKTDATA class profile must also be TSO1234.

Parent topic: Defining profiles in the PTKTDATA class

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014