Setting up AS400 User Profile
Home > IT Answers > AS/400 > Setting up AS400 User Profile
GHENDER
50 pts.
0
Q:
Setting up AS400 User Profile
AS/400 security, AS/400 user profiles
Currently, our users all have command line access and they have figured out how to change their batch jobs to run in another job queue. I set up a test user with user class=*user, limit capabilities=*yes and special authority=*no. However, the user can still change his jobs to run in another queue and he still has access to a command line. What am I doing wrong? Also, I don't know if it matters but our level of security on our AS400 is 30 and we are currently on operating system V5R4.
ASKED: Mar 31 2009  4:40 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
TomLiotta
7525 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
Do the usrprfs have an initial program that is giving them command line access? If not, change the attention program to *NONE and they shouldn't be able to get to a command line. Also, verify that the intial pgm is not adopting authority of a user with *JOBCTL.


- - - - - - - - - - - - - - - - - - - -- -

on the user profiles of those you need to disarm, specify 'Limit Capabilities'
here's the help text

Limit Capabilities - Help

o *YES: The user cannot change the initial program,
initial menu, current library, and attention key
handling programs. The user cannot run commands from
command lines.


you will need to ensure they can access everything they need to do their jobs from a menu....


Yorkshireman

==========================================================

If you don't want users submitting jobs to particular job queues, why do they have authority to those queues? Remove the job queue authority.

Tom
Last Answered: Oct 17 2009  9:09 AM GMT by TomLiotta   7525 pts.
Latest Contributors: Yorkshireman   3200 pts., DanD   1890 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RVP400   250 pts.  |   Apr 1 2009  5:17PM GMT

DanD,

even without and attention program, its still possible to acces a command line via the “Work with printer output” option on the “Operational Assistant (TM) Menu”.

GHENDER,

you need to go deeper. I agree with DanD on one thing - without *JOBCTL they should be more limited, but if you want to prevent them from changing their jobs, try the following:
Create user groups (IT, power-users, normal-users and so on);
Set the group of each user on the system;
Change the CHGJOB command(s) (this is a bit dangerous and must be done only as a last resort!!) authorities in order to *EXCLUDE the “normal-users” group, for instance. Or all groups except IT, but leave the Qxxxx authorities as they are.

 

TomLiotta   7525 pts.  |   Nov 4 2009  3:32AM GMT

Note that *JOBCTL is not needed for a user to control his/her own jobs. *JOBCTL lets users control other users’ jobs.

Tom

 

Teandy   3215 pts.  |   Nov 4 2009  5:01PM GMT

Take away public authority to the CHGJOB command.

 
0