command restrict

pts.
Tags:
COMMANDS
restrict commands
How will you restrict a user from using any particular command?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Using:
edtobjaut commandName *CMD
Add the user id and *exclude for rights

Phil
============
Depending on the command restricted it could affect this users ability to run programs that use that command.
Phil

================================================

The note that excluding the user might affect programs that contain the command is important. However, you can indeed assign authority of *EXCLUDE for a user to a *CMD object. …Unless, of course, the user has a special authority such as *ALLOBJ or *SPLCTL that overrides the exclusion.

It’s not the best way to do things by any means — it should only be intended as a short-term, stop-gap measure. There should be no reason to restrict users from command objects because they shouldn’t have rights to any objects that the commands might operate upon.

Tom

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • DanD
    Object level authority is a perfectly acceptable way to control access to commands. Do you let programmers on your systems have access to PWRDWNSYS or ENDTCPSVR or ENDHOSTSRV commands? We only give programmers read rights to data in their job sphere but they have *JOBCTL so they can use a number of "dangerous" commands if authorized to them.
    2,865 pointsBadges:
    report
  • TomLiotta
    You can indeed exclude programmers from PWRDWNSYS, etc., by object authority. It just isn't very effective against competent developers. It's temporary for as long as a developer allows it to be effective. Do you also ensure that developers cannot create message files for production apps? If not, then object authority is probably insufficient. A message file can defeat it. Plenty of other possibilities exist. (Many!) Now, object authority is still a good idea. It is an excellent assistance for mistake avoidance. For developers, though, a combination of policy and trust is where the effort should be placed. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following