Command Access Control
Command access control allows an ACSLS administrator to restrict certain classes of commands to specific client applications or specific users across the network. Controlled access applies only to user commands that are submitted through the ACSAPI and it does not apply to local users who submit commands using cmd_proc.
The process to configure ACSLS for command access control involves three steps.
The first time you configure ACSLS for command access control follow these steps:
- Enable command access control in ACSLS.
- Associate a client identity with a user name.
- Define what commands are available to which users.
Associating a Client Identity with a User Name
Refer to the procedures under Associating a Client Identity with a User Name.
Defining What Commands are Available to Which Users
This process depends upon the default behavior you have selected when you enabled command access control. You must create a policy file in the $ACS_HOME/data/external/access_control
directory.
-
If the default behavior you defined above is [NOACCESS], you must create a
command.ALL.allow
file that contains the user ID of each client that is to have access to all ACSLS commands. Each user ID should be listed on a separate line in the file.If you want to grant only specific commands to specific users, you must create
command.
XXX
.allow
files for each command the users are allowed to execute. For example, to grant permission for specific users to enter volumes into the library, you would create a file with the namecommand.ENTER.allow
and list the ID of each qualified 'enter' user on a separate line in the file. -
If the default behavior you defined above is [ACCESS], you must create a
command.ALL disallow
file that contains the user ID of each client that is not to have access to all ACSLS commands. Each user ID should be listed on a separate line in the file.Note:
You cannot have the same user_ID in both thecommand
.XXX
.allow
andcommand
.XXX
.disallow
command.XXX
files for the same command or ALL.
Command Names for Command Access Control allow and disallow Files
The command
.XXX
.allow
and command
.XXX
.disallow
files must have a command component with the name specified exactly as listed below, with the name of the command in uppercase. Controlling access to other variants of commands (such as QUERY_VOLUME
) is not supported.
AUDIT CANCEL CHECK_REGISTRATION CLEAR_LOCK DEFINE_POOL DELETE_POOL DISMOUNTDISMOUNT_FORCE DISPLAY EJECT ENTER (1) IDLE LOCK MOUNT (2) QUERY QUERY_LOCK REGISTER SET_CAP SET_CLEAN SET_OWNER SET_SCRATCH START UNLOCK UNREGISTER VARY
Note:
ENTER (1) - Policies apply to virtual enter and manual enter, but not for automatic enter. MOUNT (2) - Policies also apply tomount scratch
and mount readonly
.
Use the following table as a quick reference for determining when command access is allowed.
Table 6-3 Command Access is Enabled - NOACCESS
Default Access for Commands is NOACCESS | Access Allowed | Access Denied |
---|---|---|
The request is entered from |
X |
- |
The user_ID is listed in |
X |
- |
The user_ID is listed in |
X |
- |
- - All other conditions - - |
- |
X |
Table 6-4 Command Access is Enabled - ACCESS
Default Access for Commands is ACCESS | Access Allowed | Access Denied |
---|---|---|
The request is entered from |
X |
- |
The user_ID is listed in |
- |
X |
The user_ID is listed in |
- |
X |
- - All other conditions - - |
X |
- |
-
Save any updates to the policies you define:
-
Run
acsss_config
-
Select Option 6 - "Rebuild Access Control Information".
ACSLS dynamically recognizes the change.
-