The relevant documentation seems to be the section ‘Determining PTKTDATS profile names’ in the RACF security admin guide. This has a list of rules for determining the name for APPC, CICS,IMS, batch jobs, TSO etc and ends the list with ‘Other applications’ . That last paragraph states that if there is no APPL coded you should use the rules for batch jobs. I would be interested to know if that works - if you are able to change the application the surest way would be to code an APPL on the RACROUTE macro.
Keith > On 2 Aug 2023, at 21:21, Robert Garrett <[email protected]> wrote: > > Something that's been puzzling me: > > Imagine an interactive application that requires valid user credentials (ID > and password) to access, but does NOT require specific authorization to the > application. > In other words, the app does a RACROUTE REQUEST=VERIFY to validate > credentials and create the associated ACEE representing the user, but it does > NOT provide the APPL= parameter on the request, nor does it perform a > subsequent REQUEST=AUTH on an APPL resource. In other words, if you've got a > valid ID/password, you can "log on" to the app - no PERMIT to the app itself > is required and there's also no corresponding APPL resource for it. > > Now, what if I want to be able to generate pass tickets in place of passwords > to access this app? Doing that requires a PTKTDATA resource whose name > matches the application to control pass ticket generation, but this > application doesn't provide a name for itself. > Possible? > Just plain not supported? > Will RACF "assume" an application name (JOB/STC name, VTAM Applid, something > else) and use that to locate the applicable PTKTDATA resource (and if so, > what does it use)? > > (If it matters, assume enhanced pass ticket via AES key in the ICSF CKDS). > > Enquiring minds would really like an authoritative and accurate answer on > this one... > > Thanks, > Rob > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
