
Granting authority to generate PassTickets
Access profiles in your external security manager (ESM) determine whether a user has authority to generate PassTickets. The following procedure uses RACF® as an example. Other ESMs, such as CA ACF2 and CA Top Secret, have similar profiles for PassTickets. For details, see the documentation for those products.
The access profile that controls SAF PassTicket generation is in the SAF class PTKTDATA. The format of the access profile is as follows:
IRRPTAUTH.applid.userID
where:
- applid
- is the VTAM® APPLID of the CICS® region running the CICS Configuration Manager server.
- userID
- is the ID of the user that is using the CICS Configuration Manager TSO/ISPF dialog or batch utility, and whose password is to be replaced by the generated PassTicket.
To generate the PassTicket, the user must have UPDATE or greater access privilege to the profile. The SCCVSAMP sample member CCVXSAF4 contains various RACF commands to define both the PTKTDATA SAF class and the PassTicket generation profiles.
Optionally, RACF allows you to add the RPTKTDATA class as one of the classes for global access checking. This has the advantage that you can write a single general access profile for all users who need to access a CICS Configuration Manager server. In the GLOBAL PTKTDATA access profile, you can set the user ID as the variable &RACUID which is interpreted at run time as the real user ID. The following examples show RACF statement that include the &RACUID variable.
Example: defining a general access profile for all users
- Add the PTKTDATA class to GLOBAL.
RDEFINE GLOBAL PTKTDATA
- Add a general access profile to PTKTDATA in GLOBAL allowing all users to generate a PassTicket
for their own user
ID.
RALTER GLOBAL PTKTDATA + ADDMEM(IRRPTAUTH.applid .&RACUID/UPDATE) SETROPTS GLOBAL(PTKTDATA) REFRESH
Example: defining an access profile for a specific user with UPDATE permission
RDEFINE PTKTDATA IRRPTAUTH.applid.userID UACC(NONE)
PERMIT IRRPTAUTH.applid.userID +
CLASS(PTKTDATA) +
ACCESS(UPDATE) +
ID(user1,user2,user3,...)
SETROPTS REFRESH RACLIST(PTKTDATA)
