Strong Access Control File

To provide a method of preventing an ordinary user from gaining root access through IBM® Connect:Direct®, a strong access control file called sysacl.cfg is created at installation in the d_dir/ndm/SACL/ directory. By default, an ordinary user cannot access the root through Connect:Direct for UNIX. If you want to give an ordinary root user access through Connect:Direct for UNIX, you must access and update the sysacl.cfg file.

Note: Even if you do not want to limit root access through Connect:Direct for UNIX, the sysacl.cfg file must exist. If the file is deleted or corrupted, all users are denied access to Connect:Direct for UNIX.

The file layout of the sysacl.cfg file is identical to the user portion of the userfile.cfg file. Setting a value in the sysacl.cfg file for a user overrides the value for that user in the userfile.cfg file.

The root:deny.access parameter, which is specified in the sysacl.cfg file, allows, denies, or limits root access to IBM Connect:Direct. This parameter is required. The following values can be specified for the root:deny.access parameter:

Parameter	Description	Value
deny.access	Allows, denies, or limits root access to IBM Connect:Direct	y \| n \| d y—No Processes can acquire root authority n—PNODE Processes can acquire root authority, but SNODE Processes can not. This is the default value. d—Any Process can acquire root authority

Parameter

Description

Value

deny.access

Allows, denies, or limits root access to IBM Connect:Direct

y | n | d

y—No Processes can acquire root authority

n—PNODE Processes can acquire root authority, but SNODE Processes can not. This is the default value.

d—Any Process can acquire root authority

If a user is denied access because the root:deny.access parameter is defined in the sysacl.cfg file for that user, a message is logged, and the session is terminated. If a user is running a limited ID, an informational message is logged.