Universal Command Server for zOS - UACL

Overview

Universal Command Server uses the Universal Access Control List (UACL) file as an extra layer of security. The UACL file contains Universal Command Server entries that contain Access Control List (ACL) rules that permit or deny access to the Server.

See Universal Access Control List for details on the Universal Access Control List feature.

UACL Entries

The syntax of a UACL entry file is the same as the Universal Command configuration file.

The following table identifies all Universal Command Server for z/OS UACL entries. Each UACL Entry is a link to detailed information about that option.

UACL Entry Name

Description

UCMD_ACCESS

Allows or denies access to Universal Command Server services

UCMD_REQUEST

Allows or denies access to Universal Command Server services based on client identification and request type

UACL Entry Precedence

Deny or Allow Access

The UCMD_ACCESS rules are searched first for an entry that matches the client request. If a UCMD_ACCESS entry is found and the rule denies access to the UCMD Manager, the search stops and the UCMD Manager request is denied.

If a UCMD_ACCESS entry is not found or a UCMD_ACCESS rule allows access, the UCMD_REQUEST entries are searched. If a UCMD_REQUEST entry is found, its rule determines whether the UCMD Manager request is denied or allowed.

If no rules are found, the UCMD Manager request is allowed.

Authenticate or No Authenticate Access

The UCMD_ACCESS entries are searched followed by the UCMD_REQUEST entries.

  • If a UCMD_REQUEST entry is found, it sets the authentication requirement.
  • If a UCMD_REQUEST entry is not found and an UCMD_ACCESS entry is found, the UCMD_ACCESS rule sets the authentication requirement.
  • If no rules are found, the UCMD Manager request requires authentication.


The following table identifies the UACL entry precedence rules described above.
 

ucmd_access

ucmd_access

ucmd_request

ucmd_request

Result

Allow/Deny

Auth/Noauth

Allow/Deny

Auth/Noauth

 

NO-MATCH

NO-MATCH

NO-MATCH

NO-MATCH

ALLOW, AUTH

DENY

n/a

n/a

n/a

DENY

ALLOW

AUTH

NO-MATCH

NO-MATCH

ALLOW, AUTH

ALLOW

AUTH

ALLOW

AUTH

ALLOW, AUTH

ALLOW

AUTH

ALLOW

NOAUTH

ALLOW, NOAUTH

ALLOW

AUTH

DENY

n/a

DENY

ALLOW

NOAUTH

NO-MATCH

NO-MATCH

ALLOW, NOAUTH

ALLOW

NOAUTH

ALLOW

AUTH

ALLOW, AUTH

ALLOW

NOAUTH

ALLOW

NOAUTH

ALLOW, NOAUTH