1. Administrator's Guide
  2. Access Control
  3. Command Access Control

Command Access Control

Command access control allows an ACSLS administrator to restrict certain classes of commands to specific client applications or specific users across the network. Controlled access applies only to user commands that are submitted through the ACSAPI and it does not apply to local users who submit commands using cmd_proc.

The process to configure ACSLS for command access control involves three steps.

The first time you configure ACSLS for command access control follow these steps:

  1. Enable command access control in ACSLS.
  2. Associate a client identity with a user name.
  3. Define what commands are available to which users.

Enabling Command Access Control

To enable command access control in ACSLS,

  1. Run the configuration utility, acsss_config.

    The main menu displays.

  2. Select Option 4 - Set Access Control Variables.

    Each variable is listed, one at a time, and its current setting is displayed.

  3. Click Enter to accept the current or default setting.
  4. Select TRUE and click Enter when the utility displays the message Access control is active for commands.
  5. When the message "Default access for commands" is displayed:

    • Select ACCESS if you want to allow all users access to all commands.

      To block specific users from issuing commands, they must be listed in a command.ALL.disallow file or a specific command.XXX.disallow file, where:

      XXX is the command for which access control is intended

    • Select [NOACCESS] if you want to deny user access to commands.

      To allow specific users to issue commands, they must be listed in a command.ALL.allow file or a specific command.XXX.allow file.

      Note:

      • If you want to log instances where access to commands is denied, enter "TRUE" in response to that prompt.
      • Whenever enabling or disabling command access, you must restart ACSLS for the change to take effect.

Associating a Client Identity with a User Name

Refer to the procedures under Associating a Client Identity with a User Name.

Defining What Commands are Available to Which Users

This process depends upon the default behavior you have selected when you enabled command access control. You must create a policy file in the $ACS_HOME/data/external/access_control directory.

  • If the default behavior you defined above is [NOACCESS], you must create a command.ALL.allow file that contains the user ID of each client that is to have access to all ACSLS commands. Each user ID should be listed on a separate line in the file.

    If you want to grant only specific commands to specific users, you must create command.XXX.allow files for each command the users are allowed to execute. For example, to grant permission for specific users to enter volumes into the library, you would create a file with the name command.ENTER.allow and list the ID of each qualified 'enter' user on a separate line in the file.

  • If the default behavior you defined above is [ACCESS], you must create a command.ALL disallow file that contains the user ID of each client that is not to have access to all ACSLS commands. Each user ID should be listed on a separate line in the file.

    Note:

    You cannot have the same user_ID in both the command.XXX.allow and command.XXX.disallow command.XXX files for the same command or ALL.

Command Names for Command Access Control allow and disallow Files

The command.XXX.allow and command.XXX.disallow files must have a command component with the name specified exactly as listed below, with the name of the command in uppercase. Controlling access to other variants of commands (such as QUERY_VOLUME) is not supported. 

AUDIT 
CANCEL 
CHECK_REGISTRATION 
CLEAR_LOCK 
DEFINE_POOL 
DELETE_POOL 
DISMOUNTDISMOUNT_FORCE 
DISPLAY 
EJECT 
ENTER      (1) 
IDLE 
LOCK 
MOUNT      (2) 
QUERY 
QUERY_LOCK 
REGISTER 
SET_CAP 
SET_CLEAN 
SET_OWNER 
SET_SCRATCH 
START 
UNLOCK 
UNREGISTER 
VARY

Note:

ENTER (1) - Policies apply to virtual enter and manual enter, but not for automatic enter. MOUNT (2) - Policies also apply to mount scratch and mount readonly.

Use the following table as a quick reference for determining when command access is allowed.

Table 6-3 Command Access is Enabled - NOACCESS

Default Access for Commands is NOACCESS Access Allowed Access Denied

The request is entered from cmd_proc

X

-

The user_ID is listed in command.COMMAND.allow

X

-

The user_ID is listed in command.ALL.allow

X

-

- - All other conditions - -

-

X

Table 6-4 Command Access is Enabled - ACCESS

Default Access for Commands is ACCESS Access Allowed Access Denied

The request is entered from cmd_proc

X

-

The user_ID is listed in command.COMMAND.disallow

-

X

The user_ID is listed in command.ALL.disallow

-

X

- - All other conditions - -

X

-

  • Save any updates to the policies you define:

    • Run acsss_config

    • Select Option 6 - "Rebuild Access Control Information".

    ACSLS dynamically recognizes the change.