UACL Entries

UACL Entries

UACL entries are specified in the UACL configuration file. All Universal Agent UACL configuration files are simple text files. UACL entries are defined one per line in the following format:


TYPE RULE

  • TYPE identifies the UACL entry. Each Universal Agent component using UACL entries have a defined set of entry types it supports. For example, the Universal Broker component uses UACL entries of type ubroker_access.
  • RULE defines the UACL entry matching criteria, the client access, and potentially some additional security attributes. The client's identity and the client's request are used to match UACL rules

UACL entries of the same type are listed in the order in which they should be searched. Since all UACL entries are in the same UACL configuration file, it is highly recommended to keep entries grouped together by their type for easy maintenance.

There is no limit to the number of UACL entries that can be specified in the UACL configuration file.

UACL Entries Example

An example of UACL entries in a UACL configuration file is listed below.

ucmd_access        10.20.30.,TS1004,tsup1004,allow,noauth
ucmd_access        10.20.30.,TS1004,*,allow,auth
ucmd_access        10.20.30.,*,*,deny,auth
ucmd_access        ALL,*,root,deny,auth

ucmd_cert_access   joe,tsup1004,allow,noauth
ucmd_cert_access   joe,*,allow,auth
ucmd_cert_access   operations,*,deny,auth
ucmd_cert_access   *,root,deny,auth

Rule Syntax

The UACL entry rule consists of a comma-separated list of values. If there is a space or tab character in the list of values, the entire list must be enclosed in quotation (") characters. What values are required and the meaning of each value is specific to the UACL entry type and are defined in the Universal Agent component documentation for its UACL entries.

As an example, the following ucmd_request UACL entry contains a space in the "DSPLIB QGPL" rule value, so the entire rule is enclosed in quotation characters.

ucmd_request "prod.host.name,remoteuser,localuser,cmd,DSPLIB QGPL,allow,auth"

Generics

You can use generics - pattern control characters and codes - in the UACL rule to match client requests.

Generics allow you to specify a string pattern in the rule to match a client request value. A string pattern is a convenient way of specifying one or more values.

Pattern Control Characters

The following pattern control characters can be used:

Control Character

Description

*

Match 0 or more characters.

?

Match one character.

/

Escape character to escape matching control characters so they are used as literal characters and to specify control codes.

Pattern Control Codes

In addition to the pattern control characters, pattern control codes can be specified to control how the pattern matching is performed. Pattern control codes are specified in the pattern string by prefixing them with the escape character, which is the slash character ( / ).

The following pattern control codes can be used:

Control Codes

Description

c

Perform a case insensitive compare.

C

Perform a case sensitive compare (the default).

s

Normalize spaces by reducing multiple spaces to one.

S

Don't normalize spaces (the default).

Example String Patterns Using Generics

Some example string patterns using generics are listed below.

Pattern

Description

*le

matches "apple", "le", and "red apple".

/*le

matches "*le" only.

ap?le

matches "apple", "ap le", but not "aple".

/c*le

matches "apple", "APPLE", and "appLe".

a/c*le

matches "apple", "aPpLe", but not "APPLE".

/s*le

matches "apple", "red apple", and "red    apple".

Host Name Aliases

For any UACL entry that accepts the IP address or host name of a client, you can specify a canonical name for the host (that is, an alias) instead of the actual host name. This allows you to update DNS CNAME records to point to new hosts without having to update UACL entries that apply to that host, as might happen when switching from a test to production environment.

To indicate that the host name specified in the UACL rule is (or could be) an alias, prefix the name with the @ symbol.

When the @ symbol is used and the application is unable to match the IP address and host name of the client host to the UACL entry, the application tries to obtain information about the host name that follows the @ symbol. If that host name value is an alias of the client host, the application examines the other UACL entry parameters. Otherwise, the application skips the UACL entry and proceeds to the next one.

For example, the following ubroker_access entry indicates that myalias.abc.com could be an alias for a remote client:

ubroker_access @myalias.abc.com,allow

The application applies this rule if myalias.abc.com is the actual host name, or an alias for it, of the client. Without the @ symbol, the application ignores the rule if the actual host name of the client is something else (for example, myhost.abc.com).

Although using alias names provides a measure of flexibility with respect to Agent configurations, such entries should be used with caution. While some entries may be examined only at process start-up, the expense of a round-trip query to the host name resolver (for example, DNS) - particularly when multiplied across several processes - may have an undesirable effect on overall workflow performance. You may want to adopt alias name usage gradually, starting with your most dynamic environment, in order to measure any performance impacts that occur.

Searching UACL Entries

UACL entries are searched in the order they are listed in the UACL configuration file. The search criteria is based on the client identity and the client request. Once a matching UACL entry has been found, the search stops and the matching entry is used.

The client identity is defined as a combination of the client TCP/IP IP address, client TCP/IP host name, client user ID, and client digital certificate. See Client Identification for details on client identification.

The client request is defined based on the UACL entry type. There is typically an UACL entry type representing the different types of client requests. Each rule value has fields that correspond to the client request values. See Request Identification for details on request identification.

Additional Information

The following pages provide additional detailed information for UACL Entries: