What can you do on the command line if you have it but have SPCAUT = *NONE.
You can do anything that you are authorized to do.
A 'special authority' (SPCAUT) is a way to short-circuit some authority checking. When you have a 'special authority', you don't need to be granted authority to do the things that the 'special authority' allows.
For example, if you create a spooled file, you can also delete it. You don't need SPCAUT(*SPLCTL) to delete your own spooled files.
But if you want to delete a spooled file that belongs to some other user profile, you either need SPCAUT(*SPLCTL) or you need to be granted sufficient authority to all the appropriate objects that may be involved in deleting spooled files.
Some 'special authorities' grant new capabilities. For example SPCAUT(*IOSYSCFG) gives the capability of changing elements of the system's I/O configuration and SPCAUT(*SERVICE) gives the capability of accessing system service functions. You can't grant authority for those; you must have the capability through the appropriate 'special authority'.
In general, no user ever needs anything beyond SPCAUT(*NONE).
...if that is the case, can I set the LMTCAP = *YES?
There is no required relationship between LMTCPB() and SPCAUT(). They control very different things.
The LMTCPB() attribute is used to determine which commands a user may execute from a command line. Each command has an attribute -- ALWLMTUSR() -- that can be set to either *YES or *NO. When a command has ALWLMTUSR(*NO), it can not be executed on a command line by a user who has LMTCPB(*YES) -- even if the user has all 'special authorities'. (Of course, such a user has ways of obtaining the capability.)
LMTCPB(*YES) doesn't mean that a user can't execute a command. If the command can be reached through taking a menu option that runs the command, then the command will run.
LMTCPB() also has a role in what values may be entered into the Program/procedure, Menu and Current library fields on a Sign On display.
Some IBM-supplied commands are set by default with ALWLMTUSR(*YES). The SNDMSG and DSPJOB are examples of commands that are available by default even to limited users. You can set the attribute to allow or disallow any command you choose (if you have authority). If you use LMTCPB() to control command-line usage, make sure you check the ALWLMTUSR() attribute of every command on your system that you might be concerned about. (Not just commands in QSYS!)
A limited user also might execute commands by typing them into a source member, compiling them as a CL program and running the program. If not CL, then REXX doesn't even need to be compiled. All of that can be done without access to a command line. Commands might be executed through ODBC or via RMTCMD or any rexec() client from a PC.
It's very good not to give any SPCAUT() to any user. The need should be restricted to system administrators and perhaps some operations staff.
Be very wary of relying on LMTCPB() for any degree of security if your system allows access through non-telnet network interfaces or if you haven't controlled attributes on commands. It can give a very misleading sense of security.