AS400 Command Line
Is there a way to limit user access? I want to eliminate the capability of entering wrksplf (username) [username][/username]on the command line. Thanks,
Software/Hardware used:
Software/Hardware used:
ASKED:
December 29, 2009 3:44 PM
UPDATED:
December 30, 2009 3:03 PM
Answer Wiki:
Yes, you can do that.
On the USRPRF change LMTCPB(*YES)
Limit Capabilities *YES will not allow entry for commands on the command line.
*
If it is only select commands you want to limit, then you need to CHGOBJAUT for the commands.
*
If it is only selected parms, then you need to create your own version of the commands and modify what can be changed.
========================================================
The question is ambiguous. Are you trying to stop users from accessing their own spooled files? You can't. Restricting WRKSPLF won't do it. Are you wanting them not to access spooled files of other users? Then take away *SPLCTL (and perhaps *JOBCTL.)
The problem is that spooled files can be accessed in easy ways outside of WRKSPLF from a command line. Simple example is WRKOUTQ. Or GO MAIN, option 1, option 5. Or a number of other possibilities, not to mention lstsplf.exe and wrksplf.exe in a iSeries Access program directory on a PC. Far too many commands and menus lead to spooled files.
What you have to do is remove the <i>capability</i> to manage spooled files of others.
Tom
To see all answers submitted to the Answer Wiki: View Answer History.
A couple additions to Charlie’s excellent answer. Limit capabilities is ignored by the system if the security level is 10, but hopefully that is not the case as that opens up a whole slew of security problems.
Also beware that changing the limit capabilities of a user to *YES may have the undesirable side affect of limiting them from other commands and tasks that they already use and need.
one way to escape from this part is by putting the user to the same group profile which will allow them to use only certain commands…
or another way is to give them menu interface which they can only select where they would like to go….if you are using limit capabilities = yes, and you would want them to run certain commands, you have to wrkcmd (type of command) and allow those with menu to access it.