Setting up AS400 User Profile
Currently, our users all have command line access and they have figured out how to change their batch jobs to run in another job queue. I set up a test user with user class=*user, limit capabilities=*yes and special authority=*no. However, the user can still change his jobs to run in another queue and he still has access to a command line. What am I doing wrong? Also, I don't know if it matters but our level of security on our AS400 is 30 and we are currently on operating system V5R4.
Software/Hardware used:
Software/Hardware used:
ASKED:
March 31, 2009 4:40 PM
UPDATED:
November 4, 2009 5:01 PM
Answer Wiki:
Do the usrprfs have an initial program that is giving them command line access? If not, change the attention program to *NONE and they shouldn't be able to get to a command line. Also, verify that the intial pgm is not adopting authority of a user with *JOBCTL.
- - - - - - - - - - - - - - - - - - - -- -
on the user profiles of those you need to disarm, specify 'Limit Capabilities'
here's the help text
Limit Capabilities - Help
o *YES: The user cannot change the initial program,
initial menu, current library, and attention key
handling programs. The user cannot run commands from
command lines.
you will need to ensure they can access everything they need to do their jobs from a menu....
Yorkshireman
==========================================================
If you don't want users submitting jobs to particular job queues, why do they have authority to those queues? Remove the job queue authority.
Tom
To see all answers submitted to the Answer Wiki: View Answer History.
DanD,
even without and attention program, its still possible to acces a command line via the “Work with printer output” option on the “Operational Assistant (TM) Menu”.
GHENDER,
you need to go deeper. I agree with DanD on one thing – without *JOBCTL they should be more limited, but if you want to prevent them from changing their jobs, try the following:
Create user groups (IT, power-users, normal-users and so on);
Set the group of each user on the system;
Change the CHGJOB command(s) (this is a bit dangerous and must be done only as a last resort!!) authorities in order to *EXCLUDE the “normal-users” group, for instance. Or all groups except IT, but leave the Qxxxx authorities as they are.
Note that *JOBCTL is not needed for a user to control his/her own jobs. *JOBCTL lets users control other users’ jobs.
Tom
Take away public authority to the CHGJOB command.