Does Pass Ticket work in CA TPX when the user's session field ACL Userid has a value specified? (ACLUSER)

Document ID : KB000012063
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

ACL Userid specifies the one- to eight-character user ID that the ACLPGM uses as the &USERID parameter for this session. 

ACL Userid can be specified for a session at the user or profile level.

When a passticket user selects a session that has a userid defined in field ACL Userid, the signon is rejected by TPX and not attempted.  This error is written to the TPX LOG:

TPXL0926 10/26/16.300 04:51:44.39 ACLUSER FIELD INVALID FOR PASSTICKET : GEN FAILED

        FOR USERID:  USER001   SESSION:  TSO      ACLUSER:  USERACL

Pass ticket user is successful for sessions with no ACL Userid.

Password user is successful for sessions with or without an ACL Userid defined.

Question:

Does Pass Ticket work in CA TPX when the user session has ACLUSER coded?

Answer:

No, it would be a serious security breach to allow this.

Pass ticket or qualified pass ticket use is not permitted with a different userid than the userid used to sign on to the product under which the session request is being made.

The authorization is impossible to verify. Session setup fails. 

You must either set the Passticket or Qualified Passticket to No or remove the acluser (ACL Userid) in the session definition.