The AcuServer connection validation logic is described here to clarify the use of the server access file and the DEFAULT_USER configuration variable.
When a client process (running application) makes its first request to AcuServer, AcuServer performs the following access validation procedure whether AcuServer system security or native system security is being used.
To validate the requester's access privileges, AcuServer:
When a match is found, and the named-pipe form of security is turned on (via the SECURITY_METHOD variable), and the client user has an account on the server, AcuServer automatically grants the user permission to connect. The AcuAccess file does not set the client user's local username, nor does it determine whether the client is required to enter a password.
When a match is found and the LOGON form of security is turned on, AcuServer attempts to use the value of the matching password field in the AcuAccess file to log the user on. If the password isn't valid or the password field is empty, the user is prompted to enter a password. If a valid password is given, the requester is logged on, otherwise the connection is refused.
When a match is found and AcuServer system security is being used:
If the Local Username is valid and the password field is defined, a message is sent back to the requester asking for a password. See Passwords for more information about password handling.
When the client process terminates, the client-server connection is broken. New client applications requesting AcuServer services will go through the verification process to establish a connection.