The doc suggests there there should be possibly THREE SAF calls for each use by an application of a PassTicket:
1. PTKGEN.applid.userid to request permission to generate PassTickets
2. IRRPTAUTH.applid.userid - access UPDATE - to allow generation of PassTicket for this appl/user
3. IRRPTAUTH.applic.userid - access READ - to evaluate PassTicket
What resource validation call are used by applications that utilize a PassTicket?