generally you should have this setup:
- exports should only allow connections from the bsa infrastructure - appservers, socks proxies, repeaters. all user nsh access should go through a nsh proxy (appserver).
- generally a '<appserver ip> ro' should be sufficient.
- in users.local there should be a failsafe mapping that will let you recover acls and have access to the box so that if you mess up acls (users file) you still have a way in.
- users should have whatever the acl push job resolves for the target based on the permissions you have setup on the server object and associated components. you shouldn't manually manage the file.
if you want more security, use the x509 cert authentication, which prevents ip spoofing getting around the exports file.
exports is the gatekeeper - if your host doesn't match the conditions in exports - eg the ip doesn't match - then you don't get access no matter what is set later in users.local or users. for example in users.local you could put something like: root rw,map=root,host=22.214.171.124 which would allow root connecting from 126.96.36.199 to map to root on this system. but the connection from 188.8.131.52 would only get that far if it was allowed in exports.
in your setup, you allow anyone to connect to the rscd (assuming the network/firewall/etc lets them through) and are mapped rw to 'nobody' or 'Anonymouns'. Then whatever mappings are in users.local or users apply (first match). if there is not a 'nouser' entry in users (normally there from an acl push) and there was no match in users.local or users then you retain the rw mapping to nobody/Anonymous
Thank you for your response.
In that case I will our BL Servers to that list as RO and will at the Certificate option