UACL Entries
UACL Entries
UACL entries are specified in the UACL configuration file. All Universal Agent UACL configuration files are simple text files. UACL entries are defined one per line in the following format:
TYPE RULE
TYPE
identifies the UACL entry. Each Universal Agent component using UACL entries have a defined set of entry types it supports. For example, the Universal Broker component uses UACL entries of type ubroker_access.RULE
defines the UACL entry matching criteria, the client access, and potentially some additional security attributes. The client's identity and the client's request are used to match UACL rules
UACL entries of the same type are listed in the order in which they should be searched. Since all UACL entries are in the same UACL configuration file, it is highly recommended to keep entries grouped together by their type for easy maintenance.
There is no limit to the number of UACL entries that can be specified in the UACL configuration file.
UACL Entries Example
An example of UACL entries in a UACL configuration file is listed below.
ucmd_access 10.20.30.,TS1004,tsup1004,allow,noauth ucmd_access 10.20.30.,TS1004,*,allow,auth ucmd_access 10.20.30.,*,*,deny,auth ucmd_access ALL,*,root,deny,auth ucmd_cert_access joe,tsup1004,allow,noauth ucmd_cert_access joe,*,allow,auth ucmd_cert_access operations,*,deny,auth ucmd_cert_access *,root,deny,auth
Rule Syntax
The UACL entry rule consists of a comma-separated list of values. If there is a space or tab character in the list of values, the entire list must be enclosed in quotation (") characters. What values are required and the meaning of each value is specific to the UACL entry type and are defined in the Universal Agent component documentation for its UACL entries.
As an example, the following ucmd_request UACL entry contains a space in the "DSPLIB QGPL" rule value, so the entire rule is enclosed in quotation characters.
ucmd_request "prod.host.name,remoteuser,localuser,cmd,DSPLIB QGPL,allow,auth"
Generics
You can use generics - pattern control characters and codes - in the UACL rule to match client requests.
Generics allow you to specify a string pattern in the rule to match a client request value. A string pattern is a convenient way of specifying one or more values.
Pattern Control Characters
The following pattern control characters can be used:
Control Character | Description |
---|---|
* | Match 0 or more characters. |
? | Match one character. |
/ | Escape character to escape matching control characters so they are used as literal characters and to specify control codes. |
Pattern Control Codes
In addition to the pattern control characters, pattern control codes can be specified to control how the pattern matching is performed. Pattern control codes are specified in the pattern string by prefixing them with the escape character, which is the slash character ( / ).
The following pattern control codes can be used:
Control Codes | Description |
---|---|
c | Perform a case insensitive compare. |
C | Perform a case sensitive compare (the default). |
s | Normalize spaces by reducing multiple spaces to one. |
S | Don't normalize spaces (the default). |
Example String Patterns Using Generics
Some example string patterns using generics are listed below.
Pattern | Description |
---|---|
*le | matches "apple", "le", and "red apple". |
/*le | matches "*le" only. |
ap?le | matches "apple", "ap le", but not "aple". |
/c*le | matches "apple", "APPLE", and "appLe". |
a/c*le | matches "apple", "aPpLe", but not "APPLE". |
/s*le | matches "apple", "red apple", and "red apple". |
Host Name Aliases
For any UACL entry that accepts the IP address or host name of a client, you can specify a canonical name for the host (that is, an alias) instead of the actual host name. This allows you to update DNS CNAME records to point to new hosts without having to update UACL entries that apply to that host, as might happen when switching from a test to production environment.
To indicate that the host name specified in the UACL rule is (or could be) an alias, prefix the name with the @ symbol.
When the @ symbol is used and the application is unable to match the IP address and host name of the client host to the UACL entry, the application tries to obtain information about the host name that follows the @ symbol. If that host name value is an alias of the client host, the application examines the other UACL entry parameters. Otherwise, the application skips the UACL entry and proceeds to the next one.
For example, the following ubroker_access entry indicates that myalias.abc.com
could be an alias for a remote client:
ubroker_access @myalias.abc.com,allow
The application applies this rule if myalias.abc.com
is the actual host name, or an alias for it, of the client. Without the @ symbol, the application ignores the rule if the actual host name of the client is something else (for example, myhost.abc.com
).
Although using alias names provides a measure of flexibility with respect to Agent configurations, such entries should be used with caution. While some entries may be examined only at process start-up, the expense of a round-trip query to the host name resolver (for example, DNS) - particularly when multiplied across several processes - may have an undesirable effect on overall workflow performance. You may want to adopt alias name usage gradually, starting with your most dynamic environment, in order to measure any performance impacts that occur.
Searching UACL Entries
UACL entries are searched in the order they are listed in the UACL configuration file. The search criteria is based on the client identity and the client request. Once a matching UACL entry has been found, the search stops and the matching entry is used.
The client identity is defined as a combination of the client TCP/IP IP address, client TCP/IP host name, client user ID, and client digital certificate. See Client Identification for details on client identification.
The client request is defined based on the UACL entry type. There is typically an UACL entry type representing the different types of client requests. Each rule value has fields that correspond to the client request values. See Request Identification for details on request identification.
Additional Information
The following pages provide additional detailed information for UACL Entries: