RACF authorization
For callers not running in system key or supervisor state, the use of R_GenSec is authorized by the resource IRR.RTICKETSERV for function code 1 and IRR.GSSERV for function code 2 in the FACILITY class. The application server must be running with a RACF® user or group that has at least READ authority to this resource. If the class is inactive, or the resource is not defined, only servers running with a system key or in supervisor state may use the R_GenSec service.
Operation | Profile name | Required access |
---|---|---|
Generate PassTicket | IRRPTAUTH.application.target-userid | UPDATE |
Evaluate PassTicket | IRRPTAUTH.application.target-userid | READ |
The PassTicket evaluation function is meant to be used to evaluate PassTicket for users who do not exist in RACF, for example temporary or generated userids. However it can be used with RACF-defined users. There is no revocation of users because of failed password attempts, so you must take care in granting access to the PassTicket evaluation function.
The PassTicket evaluation service only evaluates that a PassTicket is computationally valid for a given userid and application. It does not actually log the user in to the system or create any kind of z/OS® security context for that user.
To log in a user using a PassTicket, use a standard z/OS function such as __login() or RACROUTE REQUEST=VERIFY.