limiting access to a command line.

5 pts.
Tags:
AS/400
configuration
patching
PEN testing
Platform Security
Security
vulnerability management
Is there a way to remove a command line from a screen such as a WRKOUTQ OUTQ(nnnnn)? I am trying to find out how "developers" can look at reports on outqs such as qezjoblog without being able to make use of the command line. Setting the "limit capabilities" value on the profile does not seem to work as some commands can be executed and others cannot.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Not certain, but I think you just need to set LMTCPB (limit capabilities) to *YES on the User Profile.

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • DDekreon
    lmtcpb will not secure it. Try changing the outq to exclude the programmers. Unless they have allobj and/or secadm authority, that should do it. If they have those authorities, forget it - there is no way to block their access.
    15 pointsBadges:
    report
  • TomLiotta
    1. If they're "developers", then they have access to command lines all over the place, not just on WRKOUTQ displays. Even in SEU while they are "developing", they have command-line access. And if they develop on a PC such as with WDSC, then WDSC provides command access. 2. Standard tools such as iSeriesNavigator provide all necessary access completely outside of any green-screen interface. 3. If they have *SPLCTL special authority, you can't stop them from viewing reports even if they're excluded from the *OUTQ and from the library that the *OUTQ resides in. Special authorities overrule private authorities. 4. There is no way to remove the command line from WRKOUTQ nor any other similar IBM-supplied function. Certainly the WRKOUTQ command can be replaced by your own custom WRKOUTQ command, but where will you get it? From your developers? How will you trust that there's no back-door? How will you know it blocks other routes into outqs/spooled files? 5. LMTCPB(*YES) limits the ability to execute commands that have the ALWLMTUSR(*NO) attribute set. You use the CHGCMD command to set that attribute to allow/disallow whatever commands you choose. But it won't stop a *SPLCTL special authority user because of the various paths into outqs; a "command" isn't required -- menu access might be used instead, e.g.. Further, if you restrict the command, then it can't be used regardless of what outq is named. What you need to do is decide the business functions that your developers require and then ask how that can be done. You have a good start with 'I am trying to find out how "developers" can look at reports on outqs such as qezjoblog without being able to make use of the command line.' If that's all there is to it, then it might be easy. 1. Remove *SPLCTL from the developers' profiles, group profiles and profiles that developers have at least *USE rights to. 2. Use the CHGOUTQ command to set these attributes to be as you need them: DSPDTA(*YES/*NO/*OWNER), OPRCTL(*YES/*NO) and AUTCHK(*OWNER/*DTAAUT). Use the F1=Help to get guidance on which attribute values are appropriate. And those two elements are pretty much it in a nutshell. Tom
    125,585 pointsBadges:
    report
  • MichelleDavidson
    Here's what Mike Poweleit said you should do: The way we do is to set all users by default to have no command line authority. For each command we want command line access to we use the CHGCMD ( Change command) command with the parameter: Allow limited users . . . . . . *YES
    435 pointsBadges:
    report
  • MichelleDavidson
    Karl Dulaff said he had the same challenge of providing users with a WRKOUTQ-like without the command line. Here's what he did: "I wrote a subfile RPGLE program with a screen that looks just like the WRKOUTQ screen. It also has all the same functionality. "It uses the QUSLSPL (List Spooled Files) API to get the spool file data, so I also have to use user space API programs QUSDLTUS, QUSCRTUS, QUSRTVUS. "All of the SPLF information is stored in each subfile record. For SPLF options I use IBM commands and QCMDEXC for execution. An example is option 1=Send. I use the LPR command and build the rest of the command thru an EVAL statement: eval LPR = '?LPR FILE(' + %trim(splfnam) + ') ' + 'JOB(' + %trim(j_u_n) + ') ' + 'SPLNBR(' + %trim(splfnum) + ') ' call 'QCMDEXC' 90 parm LPR parm 150 length "Fields SPLFNAM, J_U_N and SPLFNUM come from the actual spool file and are retrieved by the QUSLSPL API program and stored in the subfile record." -- Michelle Davidson, editor, Search400.com (Note: If the formatting doesn't look right, I can email you the document Karl sent in.)
    435 pointsBadges:
    report
  • MichelleDavidson
    Jean-Paul Lamontre, one of our advisors on Search400, said you don't need command line to wrkoutq: "Just to use the standard menu : from menu MAIN choose 3, 1, 3, you are on WRKSPLF helper. "In this case, the error is not on restricting command line usage, but in allowing too much authority to programmers. First, try to remove at least *SPLCTL ." -- Michelle Davidson, editor, Search400.com
    435 pointsBadges:
    report
  • MichelleDavidson
    Another user questioned why one would want to do this. He writes, "I can understand not wanting users to have access to the command prompt, but developers? If developers can't be trusted with a command line, then there's something wrong with this picture." -- Michelle Davidson, editor, Search400.com
    435 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following