27.2.7. Controlling Access to At and Batch

You can restrict the access to the at and batch commands using the /etc/at.allow and /etc/at.deny files. These access control files use the same format defining one user name on each line. Mind that no whitespace are permitted in either file.
If the file at.allow exists, only users listed in the file are allowed to use at or batch, and the at.deny file is ignored.
If at.allow does not exist, users listed in at.deny are not allowed to use at or batch.
The at daemon (atd) does not have to be restarted if the access control files are modified. The access control files are read each time a user tries to execute the at or batch commands.
The root user can always execute at and batch commands, regardless of the content of the access control files.