AS/400 command line

225 pts.
AS/400 commands
AS/400 Permissions
what is the command and steps to disable command line access in as400

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can do this “On Mass” like this:WRKUSRPRF *ALL

Place a 2 “Change” beside all the profiles you want to change.

Type this on the command line and press Enter.

Now Limit capabilities on all the selected profiles will be chagned to *YES

Limit capabilities (LMTCPB) – Help

Specifies the limit to which the user can control the program, menu,
current library, and the ATTN key handling program values. It also
determines whether the user can run commands from a command line.
This parameter is ignored when the security level is 10.

Note: When creating or changing other users’ user profiles, you
cannot specify values on this parameter that grant greater
capabilities to other users than your own user profile grants to
you. For example, if *PARTIAL is specified for the Limit
capabilities (LMTCPB) parameter in your user profile, you can
specify *PARTIAL or *YES for another user. You cannot specify
*NO for another user.

The program, menu, and current library values cannot be changed
on the sign-on display. Commands cannot be run when issued from
a command line or by selecting an option from a command grouping
menu such as CMDADD, but can still be run from a command entry
screen. The user cannot change the program, menu, current
library, or the ATTN key program handling values by using the
CHGPRF command.


For completeness, LMTCPB(*YES) doesn’t restrict access to command lines nor does it stop users from entering and executing commands. Rather, it stops users from executing commands that do not have the ALWLMTUSR(*YES) attribute set. Commands such as DSPMSG and DSPJOB are still available. A half dozen or so commands are set by default from IBM. Any other command that has had the attribute set has also been made available. (Subject to authorities.)


Discuss This Question: 5  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • CharlieBrowne
    On the USRPRF, you can use the keywork LMTCPB. If you set it to *YES, the user will not be able ot enter command.
    62,385 pointsBadges:
  • charlieblue
    What if the user inherits special authorities from a group, does it inherit the limit capabilties parameter from the group?
    10 pointsBadges:
  • TheRealRaven
    @charlieblue: It's trivially easy to test, but "No".
    36,320 pointsBadges:
  • ToddN2000
    No, that would defeat the purpose of the security.
    135,295 pointsBadges:
  • TheRealRaven
    For "What is a command line?", it's an entry area where system or user commands can be entered for execution as commands. For how to limit it, the very first thought is that if it needs to be limited, your system has far more risky vulnerabilities that should be higher priority.

    You can limit (but not remove) the ability to run arbitrary commands through most command lines by setting the LMTCPB(*YES) user profile attribute.

    You should determine why it's necessary. What authorities have been given to your users that limiting commands is meaningful? If you don't want a user to delete a file with a DLTF command for example, you should determine why such a user would ever have been given that much authority in the first place. Why give authority and then try to shut down all possibilities of using that authority? Command lines are only one way.
    36,320 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: