If you are using local file-based access control, it is possible to configure different sets of Allow and Deny rules for each individual authentication service. Per-service access control is only supported on PAM-based systems.Service-specific Allow or Deny rules take precedence over other access control rules that may be in effect.
The default directory for service access configuration files is /etc/opt/quest/vas/access.d. You can override this by setting the service-access-dir option in vas.conf. Access control rules are specified in files named <service>.allow and <service>.deny in the /etc/opt/quest/vas/access.d directory where<service> is replaced with the name service according to PAM.
The following example sshd service access control configuration allows members of the ssh_users group access, but not email@example.com
. This example assumes that you have created sshd.allow and sshd.deny in the /etc/opt/quest/vas/access.d directory:
# sshd.allow - Allow only users that are members of ssh_users group
# sshd.deny - deny jdoe access regardless of group membership
Note: If either of the <service>.allow or <service>.deny files exist, then both the users.allow and users.deny files will be ignored.
Note: The vas.conf options hide-if-denied and check-host-access do not support service-specific access control settings because there is no way to associate a service with the access checks performed by these options.
A service-specific allow file cannot allow a user explicitly denied by the Windows Security Policy.Per Service Access Control (PAM only)