Strong Access Control File

To provide a method of preventing an ordinary user from gaining root access through IBM® Connect:Direct®, a strong access control file called sysacl.cfg is created at installation in the d_dir/ndm/SACL/ directory. By default, an ordinary user cannot access the root through Connect:Direct for UNIX. If you want to give an ordinary user root access through Connect:Direct for UNIX, you may need to access and update the sysacl.cfg file.

Note: The sysacl.cfg file must exist. If the file is deleted or corrupted, all users are denied access to Connect:Direct for UNIX.

The file layout of the sysacl.cfg file is identical to the user portion of the userfile.cfg file. Setting a value in the sysacl.cfg file for a user overrides the value for that user in the userfile.cfg file.

If root is defined as a local user in userfile.cfg, then the root:deny.access parameter, which is specified in the sysacl.cfg file, further allows, denies, or limits root access to IBM Connect:Direct. This parameter is required, even if root is not defined as a local user in userfile.cfg. The following values can be specified for the root:deny.access parameter:

Parameter Description Value
deny.access Allows, denies, or limits root access to IBM Connect:Direct y | n | d

y—No Processes can acquire root authority

n—PNODE Processes can acquire root authority, but SNODE Processes can not. This is the default value.

d—Any Process can acquire root authority

For example, given a userfile.cfg with the following entries:

remoteUser@remoteNode:\
:local.id=root:

root:\
:admin.auth=Y:

and sysacl.cfg with:
root:\
:deny.access={x, where x is as described below}:
  • Incoming process submitted by remoteUser@remoteNode
    • n, connection denied due to security failure
    • y, connection denied due to security failure
    • d, connection allowed to proceed
  • Outgoing process submitted on the local node by root
    • n, connection allowed to proceed
    • y, connection denied due to security failure
    • d, connection allowed to proceed

If a user is denied access because of the user:deny.access parameter is defined in the sysacl.cfg file for that user, a message is logged, and the session is terminated. If a user is running a limited ID, an informational message is logged.