RACFJWT Class Profiles - RACFJWT Class Profiles - Call-Level Interface Version 2

Teradata® Call-Level Interface Version 2 Reference for Workstation-Attached Systems - 20.00

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
Lake
VMware
Product
Call-Level Interface Version 2
Release Number
20.00
Published
January 2024
Language
English (United States)
Last Update
2024-05-14
dita:mapPath
bmn1691484839905.ditamap
dita:ditavalPath
obe1474387269547.ditaval
dita:id
fvz1470444150352
Product Category
Teradata Tools and Utilities

RACFJWT Facility Class profiles are checked when the submitter Userid and JWT Userid are not identical. When the submitter Userid and JWT Userid are identical, the RACFJWT Facility Class profile checks are bypassed, and the process continues to PassTicket authorization.

RACF Class: FACILITY

“Generic” Resource Profile: TERADATA.TTU.RACFWT. *

Submitter Userid

When the Generic Resource Profile is defined, the Discrete Resource Profile is checked next. If the Generic profile is not defined, the PTKTDATA Class is checked.

  • RDEFINE FACILITY TERADATA.TTU.RACFJWT UACC(READ)
RACF messages will not be issued with the UACC(READ) setting.

“Discrete” Resource Profile: TERADATA.TTU.RACFJWT. <JWTUSER>

JWT Userid

For Identity Token (JWT) generation, the Discrete Resource Profile is checked for JWT Userid Authorization. At this point, if the Discrete Profile is non-existent or the JWT Userid is not authorized, a JWT failure occurs.

  • RDEFINE FACILITY TERADATA.TTU.RACFJWT. <JWT Userid> UACC(NONE)
  • PERMIT TERADATA.TTU.RACFJWT.<JWT Userid> CLASS(FACILITY) – ID(<Group>|<User>) ACC(READ)
Create a profile for every Teradata user needing a Identity Token (JWT).

RACF Class: PTKTDATA

“Generic” Resource Profile: IRRPTAUTH.RACFJWT. *

JWT Userid

Grant permission to any JWT Userid to generate a “one-time” PassTIcket in lieu of a password that will be used for z/OS logons.

  • RDEFINE PTKTDATA IRRPTAUTH.RACFJWT.* UACC(NONE)
  • PERMIT IRRPTAUTH.RACFJWT.* CLASS(PTKTDATA) ID(<Group>|<User>) ACC(UPDATE)
Grant permissions to all MVS and Teradata users involved in JWT logons.

RACFJWT Class Profiles Overview