Universal Command Server for IBM i - UACL
Overview
Universal Command Server uses the Universal Access Control List (UACL) file as an extra layer of security. The UACL file contains Universal Command Server entries that contain Access Control List (ACL) rules that permit or deny access to the Server.
See Universal Access Control List for details on the Universal Access Control List feature.
UACL Entries
The syntax of a UACL entry file is the same as the Universal Command configuration file.
The following table identifies all Universal Command for IBM i UACL entries. Each UACL Entry Name is a link to detailed information about that entry.
UACL Entry Name | Description |
Allows or denies access to Universal Command Server services | |
Allows or denies access to Universal Command Server services based on client identification and request type |
UACL Entry Precedence
Deny or Allow Access
The ucmd_access rules are searched first for an entry that matches the client request. If an ucmd_access entry is found and the rule denies access to the Manager, the search stops and the Manager request is denied.
- If no ucmd_access entry is found or an ucmd_access rule allows access, the ucmd_request entries are searched. If an ucmd_request entry is found, its rule determines whether the Manager request is denied or allowed.
- If no rules are found, the Manager request is allowed.
Authenticate or No Authenticate Access
The ucmd_access entries are searched followed by the ucmd_request entries.
- If a ucmd_request entry is found, it sets the authentication requirement.
- If no ucmd_request entry is found and a ucmd_access entry is found, the ucmd_access rule sets the authentication requirement.
- If no rules are found, the Manager request requires authentication.
The following table identifies the UACL entry precedence rules described above.
ucmd_access | ucmd_access | ucmd_request | ucmd_request | Result |
---|---|---|---|---|
Allow/Deny | Auth/Noauth | Allow/Deny | Auth/Noauth | |
NO-MATCH | NO-MATCH | NO-MATCH | NO-MATCH | ALLOW, AUTH |
DENY | n/a | n/a | n/a | DENY |
ALLOW | AUTH | NO-MATCH | NO-MATCH | ALLOW, AUTH |
ALLOW | AUTH | ALLOW | AUTH | ALLOW, AUTH |
ALLOW | AUTH | ALLOW | NOAUTH | ALLOW, NOAUTH |
ALLOW | AUTH | DENY | n/a | DENY |
ALLOW | NOAUTH | NO-MATCH | NO-MATCH | ALLOW, NOAUTH |
ALLOW | NOAUTH | ALLOW | AUTH | ALLOW, AUTH |
ALLOW | NOAUTH | ALLOW | NOAUTH | ALLOW, NOAUTH |