Universal Control Server for zOS - UACL Example
Universal Control Server for z/OS
The following set of rules permit services for the subnet 10.20.30 and denies all other connections unless an X.509 certificate is presented that maps to certificate ID operations.
When no certificate is presented that maps to a certificate ID, the following set of rules effectively permit connections from any host, but has limited access from host 10.20.30.40 to user TS1004 on that host.
- No host can execute commands as local user root.
- User TS1004 on host 10.20.30.40 can execute commands as local user tsup1004 without providing the password.
- Users TS1004 from host 10.20.30.40 can execute commands as any local user by providing the local user password.
When a certificate is presented that maps to a certificate ID, certificate ID joe can request local user id TSUP1004 without a password.
- Certificate ID joe is allowed to execute commands with any other local user ID with a password.
- Certificate ID operations cannot run anything.
- All other certificate IDs can execute commands with any user ID except for SUPERID with a password.
Components