Strong Access Control File
To provide a method of preventing an ordinary user from gaining root access through IBM® Connect:Direct®, a strong access control file called sysacl.cfg is created at installation in the d_dir/ndm/SACL/ directory. By default, an ordinary user cannot access the root through Connect:Direct for UNIX. If you want to give an ordinary root user access through Connect:Direct for UNIX, you must access and update the sysacl.cfg file.
The file layout of the sysacl.cfg file is identical to the user portion of the userfile.cfg file. Setting a value in the sysacl.cfg file for a user overrides the value for that user in the userfile.cfg file.
The root:deny.access parameter, which is specified in the sysacl.cfg file, allows, denies, or limits root access to IBM Connect:Direct. This parameter is required. The following values can be specified for the root:deny.access parameter:
|deny.access||Allows, denies, or limits root access to IBM Connect:Direct||y | n | d
y—No Processes can acquire root authority
n—PNODE Processes can acquire root authority, but SNODE Processes can not. This is the default value.
d—Any Process can acquire root authority
If a user is denied access because the root:deny.access parameter is defined in the sysacl.cfg file for that user, a message is logged, and the session is terminated. If a user is running a limited ID, an informational message is logged.