Strong Access Control File

To provide a method of preventing an ordinary user from gaining root access through IBM® Connect:Direct®, a strong access control file called sysacl.cfg is created at installation in the d_dir/ndm/SACL/ directory. By default, an ordinary user cannot access the root through Connect:Direct for UNIX. If you want to give an ordinary root user access through Connect:Direct for UNIX, you must access and update the sysacl.cfg file.

Note: Even if you do not want to limit root access through Connect:Direct for UNIX, the sysacl.cfg file must exist. If the file is deleted or corrupted, all users are denied access to Connect:Direct for UNIX.

The file layout of the sysacl.cfg file is identical to the user portion of the userfile.cfg file. Setting a value in the sysacl.cfg file for a user overrides the value for that user in the userfile.cfg file.

The root:deny.access parameter, which is specified in the sysacl.cfg file, allows, denies, or limits root access to IBM Connect:Direct. This parameter is required. The following values can be specified for the root:deny.access parameter:

Parameter Description Value
deny.access Allows, denies, or limits root access to IBM Connect:Direct y | n | d

y—No Processes can acquire root authority

n—PNODE Processes can acquire root authority, but SNODE Processes can not. This is the default value.

d—Any Process can acquire root authority

If a user is denied access because the root:deny.access parameter is defined in the sysacl.cfg file for that user, a message is logged, and the session is terminated. If a user is running a limited ID, an informational message is logged.