All users arrive on our iSeries through defined menus and their user profiles have LMTCPB(*YES) so even if they can get to a command line all they can use is the DSPJOB and SIGNOFF commands.

As far as finding out who might be using the commands, UPDDTA creates a temporary program named QDZTD00001 in QTEMP. If you have a file journalled this will show up as the program of record on any DB changes to the file.

For STRSQL it is not so straight forward. The program it logs as the update program is the last program in the job stack. For instance a user has a startup program of INITPGM and executes an STRSQL from a command line after signing on. When they update a record the journal shows the update program as INITPGM. As long as you recognize this program as other than a normal application program that is doing legitimate updates then this might suffice.