Universal Command Server for zOS - UACL
Overview
Universal Command Server uses the Universal Access Control List (UACL) file as an extra layer of security. The UACL file contains Universal Command Server entries that contain Access Control List (ACL) rules that permit or deny access to the Server.
See Universal Access Control List for details on the Universal Access Control List feature.
UACL Entries
The syntax of a UACL entry file is the same as the Universal Command configuration file.
The following table identifies all Universal Command Server for z/OS UACL entries. Each UACL Entry is a link to detailed information about that option.
UACL Entry Name |
Description |
Allows or denies access to Universal Command Server services | |
Allows or denies access to Universal Command Server services based on client identification and request type |
UACL Entry Precedence
Deny or Allow Access
The UCMD_ACCESS rules are searched first for an entry that matches the client request. If a UCMD_ACCESS entry is found and the rule denies access to the UCMD Manager, the search stops and the UCMD Manager request is denied.
If a UCMD_ACCESS entry is not found or a UCMD_ACCESS rule allows access, the UCMD_REQUEST entries are searched. If a UCMD_REQUEST entry is found, its rule determines whether the UCMD Manager request is denied or allowed.
If no rules are found, the UCMD Manager request is allowed.
Authenticate or No Authenticate Access
The UCMD_ACCESS entries are searched followed by the UCMD_REQUEST entries.
- If a UCMD_REQUEST entry is found, it sets the authentication requirement.
- If a UCMD_REQUEST entry is not found and an UCMD_ACCESS entry is found, the UCMD_ACCESS rule sets the authentication requirement.
- If no rules are found, the UCMD Manager request requires authentication.
The following table identifies the UACL entry precedence rules described above.
ucmd_access |
ucmd_access |
ucmd_request |
ucmd_request |
Result |
---|---|---|---|---|
Allow/Deny |
Auth/Noauth |
Allow/Deny |
Auth/Noauth |
|
NO-MATCH |
NO-MATCH |
NO-MATCH |
NO-MATCH |
ALLOW, AUTH |
DENY |
n/a |
n/a |
n/a |
DENY |
ALLOW |
AUTH |
NO-MATCH |
NO-MATCH |
ALLOW, AUTH |
ALLOW |
AUTH |
ALLOW |
AUTH |
ALLOW, AUTH |
ALLOW |
AUTH |
ALLOW |
NOAUTH |
ALLOW, NOAUTH |
ALLOW |
AUTH |
DENY |
n/a |
DENY |
ALLOW |
NOAUTH |
NO-MATCH |
NO-MATCH |
ALLOW, NOAUTH |
ALLOW |
NOAUTH |
ALLOW |
AUTH |
ALLOW, AUTH |
ALLOW |
NOAUTH |
ALLOW |
NOAUTH |
ALLOW, NOAUTH |