The Server Access File

The foundation of AcuServer system security is the server access file. The server access file is an encrypted Vision file, named "AcuAccess" by default. This file is located in the /etc directory on UNIX servers and the root drive, which is normally the c:\etc directory on Windows NT, Windows 2000 to 2008 servers. You may rename the access file, and you can have multiple access files (for multiple instances of acuserve, for example) if desired.

The server access file contains one or more access records. These records define which users of which clients are permitted access to AcuServer.

CAUTION:
If you have upgraded from a version of AcuServer prior to 6.0.0, the server will detect and convert existing AcuAccess files the first time that they are opened. Updated AcuAccess files are not compatible with earlier versions of AcuServer. If you are operating in an environment that includes AcuServer Version 8.x, 7.x, or 6.x mixed with earlier versions of AcuServer, you must use duplicate AcuAccess files. You should not maintain a mixed environment.

The server access file is designed to support a wide range of access security, from very open to very restrictive. You choose the level of security best suited to your needs.

Note: We recommend that you use native system security rather than AcuServer system security. On Windows 2008 it is essentially required that you use system security. To use native security, you set the SECURITY_METHOD variable in both the runtime configuration file on the client and server configuration file on the server. You still create a server access file containing access records that define your user base, but the server access file is used only to check if the user connecting to the server is allowed to connect, and to check to which local account the connection should be mapped. See SECURITY_METHOD in Server Configuration Variables for more information.

Access records may include wild cards that allow all clients or all users (except root under UNIX and administrator under Windows NT, Windows 2000 to 2008) access to AcuServer. You can also create individual access records for each user of each client, as well as individual records listing users who are explicitly excluded from accessing files.

The individual access records allow you to specify the user ID that AcuServer will use when executing requests for users matching the given record. In this way you can assign a user ID that has exactly the privileges needed, and no more (typical of group access accounts).

In addition, every access record can include a password entry, which the application or user must match before AcuServer will establish a connection. If this password is set to "*", the user is explicitly denied access to AcuServer.

The security system is almost completely transparent to the end user. The user is made aware of the security system only when remote file access requires interactive password authentication.

Creation and modification of the server access file requires root privileges on UNIX, and administrator privileges on Windows NT, Windows 2000 to 2008.

On UNIX servers, the access file must be owned by root and cannot be writable by anyone other than root. If the access file does not exist, is not owned by root, or is writable by users other than root, AcuServer will not start. On Windows NT and Windows 2000 to 2008 servers, the access file must be owned by administrator or the administrators group and cannot be writable by anyone without administrator privileges. If the access file does not exist, is not owned by administrator or the administrators group, or is writable by users without administrator privileges, AcuServer will not start.