Universal Access Control List (UACL)

Overview

Many Universal Agent components utilize the Universal Access Control List (UACL) feature as an extra layer of security to the services they offer. UACLs are used for a variety of reasons but generally are used to determine if a client request is allowed or denied permission to the service and to set security attributes for the client request.

Each Universal Broker has an associated UACL configuration file that contains all the UACL entries for that system. The UACL entries can be used to enforce a security policy specific to the system on which its deployed.

The following Universal Agent components use the UACL feature:

Component

Description

Universal Automation Center Agent

UACLs are used to control whether user credentials are required for task execution and to control whether or not user authentication is required.

See Universal Automation Center Agent UACL Entries for complete details.

Universal Broker

UACLs are used to permit or deny TCP/IP client connections.

See Universal Broker UACL Entries for complete details.

Universal Command Server

UACLs are used to permit or deny Universal Command Manager access and to control whether or not the Manager request requires user authentication.

See Universal Command UACL for complete details.

Universal Control Server

UACLs are used to permit or deny Universal Control Manager access and to control whether or not the Manager request requires user authentication.

See Universal Control UACL Entries for complete details.

Universal Data Mover Server

UACLs are used to permit or deny Universal Data Manager access and to control whether or not the Manager request requires user authentication.

See Universal Data Mover UACL Entries for complete details.

Universal Event Monitor Server

UACLs are used to permit or deny Universal Event Monitor Manager access and to control user authentication for event handlers.

See Universal Event Monitor UACL Entries for complete details.

Universal Message Service

UACLs are used to permit or deny TCP/IP client connections and provide access to the OMS Administration Utility.

See OMS Server UACL Entries for complete details.

Note

For component-specific examples of UACL entries, see UACL Examples.


UACL Configuration

UACL entries are maintained in a configuration file. The UACL configuration file is required for the Universal Broker to start even if there are no UACL entries defined in it.

The UACL configuration file syntax is the same as all other Universal Agent configuration files except for one difference: multiple UACL entries of the same name may be defined. The order in which the UACL entries are listed in the configuration file determines the order in which they are searched. See Configuration File Syntax for details on configuration file syntax.

The following table describes the location of the UACL configuration file and how it is accessed for each platform.

Platform

Description

z/OS

All UACL entries are defined in member ACLCFG00 in library UNVCONF. The Universal Broker started task allocates the UACL configuration file to ddname UNVACL.

UNIX

All UACL entries are defined in the uacl.conf configuration file. This file is installed in /etc/universal by default. The UACL file is searched for in the same manner as all other product configuration files.

Windows

All UACL entries are defined in the uacl.conf configuration file. The location of this file depends on the version of Windows. It is recommended to use the Windows Universal Configuration Manager to view and update UACL entries.

IBM i

All UACL entries are defined in member UACL of file UNVCONF.