The Server Access File

The foundation of AcuConnect system security is the server access file, an encrypted Vision file named AcuAccess by default. This file contains a database of access records that determine which machines and which users are allowed to use AcuConnect. AcuConnect searches for this file in the /etc directory on UNIX servers and the operating system drive:\etc directory on Windows servers. You may rename the file if you like.

The server access file is designed to support a wide range of access security, from very permissive to very restrictive. You choose the level of security appropriate for your application.

Access records may include wild cards that allow all clients or all users (except root under UNIX and administrator under Windows) access to AcuConnect. Or you can create individual access records for each user of each client. By having individual access records, you can restrict access to only those users specifically named in the access file.

The individual access records allow you to specify the user ID that AcuConnect will use when executing requests for users matching the given record. In this way, you can assign a user ID that has exactly the privileges needed and no more (typical of group access accounts).

In addition, every access record can include a password entry that the application or user must match before AcuConnect establishes a connection. (However, if the SECURITY_METHOD configuration variable is set to "LOGON", the local account password can be used instead.)

Note: Use native system security rather than AcuConnect system security. On Windows 2008 you must use native system security. To use native security, set the SECURITY_METHOD variable in both the runtime configuration file on the client and server configuration file on the server. You still create a server access file containing access records that define your user base, but the server access file is used only to check if the user connecting to the server is allowed to connect, and to check to which local account the connection should be mapped.

The security system is almost completely transparent to the end user. Only when remote file access requires interactive password authentication is the user made aware of the security system.

On UNIX servers, the access file must be owned by root. The access file cannot be writable by anyone other than root. If the access file does not exist, is not owned by root, or is writable by users other than root, AcuConnect does not start.

On Windows servers, you should protect the access file by allowing only the administrator or someone in the administrators group to have write access to it. If the access file does not exist, is not owned by administrator or the administrators group, or is writable by users other than administrator or the administrators group, AcuConnect does not start.