Create access control list - connect_cdc_sqdata - Latest

Connect CDC (SQData) Change Data Capture

Product type
Software
Portfolio
Integrate
Product family
Connect
Product
Connect > Connect CDC (SQData)
Version
Latest
Language
English
Product name
Connect CDC (SQData)
Title
Connect CDC (SQData) Change Data Capture
Copyright
2024
First publish date
2000
Last updated
2024-11-25
Published on
2024-11-25T15:05:48.570404

The Controller Daemon requires an Access Control List (ACL) that assigns privileges (admin, query) by user or group of users associated with Capture or Engine agents running on the platform. This sequential file, usually named acl.cfg is placed in the <SQDATA_VAR_DIR>/daemon/cfg directory. The file name must match the name specified in the SQDagents.cfg file by the acl= <location/file>.

The ACL configuration file contains 3 sections, two of which are named. Each section consists of key-argument pairs. Empty lines and lines starting with # or -- are interpreted as comments. Section names must be bracketed while keywords and arguments are case-sensitive.

Sample
allow_guest=yes
guest_acl=none
default_acl=query
 [groups] 
admin=<user>,<user2>
 [acls] 
admin=admin
cntl=exec
status=read

Syntax

Global section - not identified by a section header and must be specified first.
 allow_guest=no | yes
 guest_acl=<acl_list_name>
 default_acl=<comma separated list>
Keyword and Parameter Descriptions
Keyword Description
allow_guest=no | yes

Specifies whether a guest is allowed to connect. Guests are clients that can process a NaCl handshake, but whose public key is not in the server's authorized_keys_list file. If guests are allowed, they are by default granted the right to query. The default value is No.

guest_acl=<acl_list_name> Optionally assigns one of the acl_list_names in the [acls] section to guest users. This must be specified after the allow_guest parameter. The default if not acl_list_name is specified is none.
default_acl=<comma separated list>

Optional comma separated list of specific access type authorizations (see below) assigned to authenticated clients that do not have an [acls] explicitly associated to them, either directly or via a Group making them by default a "Guest".

Groups section - [groups] allows the optional definition of user groups to simplify management of the Access Rights for individual users with similar requirements. The Rights associated with the group_name in the Access Control List section [acls] , will propagate those rights to all users in the group.
[groups]
<group_name>=<user_name> [,<user_name>…]
Keyword and Parameter Descriptions
Keyword Description
<group_name>=<user_name> [,<user_name>…] Defines a "named group" and the members of that group. The case sensitive user_name/user-id of a connecting client must match a name specified in one or more group_names or the user will be considered a guest. The user_name may include a domain, eg: user_name@server but more commonly does not which facilitates the use of a single NACL key pair for an individual user with accounts on multiple systems.
Access Control List section - [acls] assigns one or more access "types" to individual users or groups in a comma separated list.
[acls]
<user_name> | <group_name> = <access type list>
Keyword and Parameter Descriptions
Keyword Description
<user_name> | <group_name>

Individual user_name/user-id or group_name.

<access type list>
A comma separated list of one or more of the following access or authorization types listed in ascending order of authority:
  • none - Explicitly assign no authorization. When present in a list all other elements of the list are ignored.
  • query - Allow to query the daemon about the state of the daemon and its agents. That includes the SQDmon utility Inventory and Display commands.

  • exec - Allow to start or stop an agents. This type is both agent type and platform specific. Engine and Program (which includes scripts supported on the platform) Types may be started and stopped only on platforms other than z/OS.

  • admin - Allow all rights. This level of access is required to reload a modified daemon configuration.

  • sysadm - Special rights that allow the user to shutdown the daemon itself. By default only the user that starts the daemon has that ability, unless that user has been given sysadm access/authorization explicitly or via a group in the acl.cfg file.

Notes:

  • When a type of access or authorization is assigned to a group_name, the list will propagate to all users in the group.
  • Access types are cumulative therefore it is only necessary to list the maximum access or authorization allowed for an individual User or Group:
     [acls]
     admin=admin
     cntl=exec
     status=read
  • The user_name/user_id that starts the daemon, is implicitly granted sysadm access whether or not explicitly assigned to a group or individually assigned another specific access right or authorization.
  • Changes are not known to the daemon until the configuration file is reloaded, using the SQDmon Utility, or the sqdaemon process is stopped and started.

The acl.cfg file can be directly edited or the JCL can be edited and the files recreated using JCL similar to sample member CRDAEMON included in the distribution. That JCL includes steps to create both the Access Control List and the Agent Configuration file. The JCL should be edited to conform to the operating environment.

Example
 //*-----------------------------------------------------------------
//* CREATE AND POPULATE THE ACL.CFG FILE
 //*-----------------------------------------------------------------
//CRACL EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSUT2 DD PATH='//home/sqdata/daemon/cfg/acl.cfg',
// PATHOPTS=(OWRONLY,OCREAT,OTRUNC),
// PATHMODE=SIRWXU,
// PATHDISP=(KEEP,DELETE),
// FILEDATA=TEXT
//*
//SYSUT1 DD *
 allow_guest=yes
 guest_acl=none
 default_acl=query
[groups]
admin=<sqdata_user>
cntl=<user_name1>,<user_name2>
status=<user_name3>,<user_name4>
[acls]
admin=admin,sudo
cntl=query,read,write
status=query,read
/*