Universal Command Server for zOS - UACL Example
Universal Command Server for z/OS
The following set of rules permit services for the subnet 10.20.30 and denies all other connections unless an X.509 certificate is presented that maps to certificate ID operations.
ucmd_access 10.20.30.,*,*,allow,auth ucmd_access ALL,*,*,deny,auth ucmd_cert_access operations,*,allow,auth ucmd_cert_access *,*,deny,auth
When no certificate is presented that maps to a certificate ID, the following set of rules effectively permit connections from any host, but has limited access from host 10.20.30.40 to user TS1004 on that host.
- No host can execute commands as local user SUPERID.
- User TS1004 on host 10.20.30.40 can execute commands as local user TSUP1004 without providing the password.
- Users TS1004 from host 10.20.30.40 can execute commands as any local user by providing the local user password.
When a certificate is presented that maps to a certificate ID, certificate ID joe can request local user ID TSUP1004 without a password.
- Certificate ID joe is allowed to execute commands with any other local user ID with a password.
- Certificate ID operations cannot run anything.
- All other certificate IDs can execute commands with any user ID except for SUPERID with a password.
ucmd_access 10.20.30.40,TS1004,tsup1004,allow,noauth ucmd_access 10.20.30.40,TS1004,*,allow,auth ucmd_access 10.20.30.40,*,*,deny,auth ucmd_access ALL,*,superid,deny,auth ucmd_cert_access joe,tsup1004,allow,noauth ucmd_cert_access joe,*,allow,auth ucmd_cert_access operations,*,deny,auth ucmd_cert_access *,superid,deny,auth
Components
Universal Command Server for z/OS