edtobjaut commandName *CMD
Add the user id and *exclude for rights
Depending on the command restricted it could affect this users ability to run programs that use that command.
The note that excluding the user might affect programs that contain the command is important. However, you can indeed assign authority of *EXCLUDE for a user to a *CMD object. …Unless, of course, the user has a special authority such as *ALLOBJ or *SPLCTL that overrides the exclusion.
It’s not the best way to do things by any means — it should only be intended as a short-term, stop-gap measure. There should be no reason to restrict users from command objects because they shouldn’t have rights to any objects that the commands might operate upon.