AS/400 Command Line and Initial Program and Menu

100 pts.
Tags:
AS/400
Command line
Hi guys! Rather urgent: I'd like to understand what the user is able to do and the differences between the following scenarios:
Initial Menu = OperationX, and Initial PGM = *NONE, and LMTCTP = YES

Initial Menu = SIGNOFF, Initial PGM = ABC, and LMTCTP = Yes
What's bugging me most here is -  if INLPGM is set and MENU is SIGNOFF, what is the program doing? Just loading the data and menu? Then if I have both a set menu and a set initial program, whats the difference? Is there a more risky scenario? I've already read the redbooks, please be detailed if possible. Thanks so much!


Software/Hardware used:
as400
1

Answer Wiki

Thanks. We'll let you know when a new response is added.

You need to figure out what the initial program is actually doing. It is possible that it is simply setting the library and displaying the initial menu. Or, it could be a program controlled menu (not a true menu as the AS/400 understands it) to keep the user from getting a command line. 

Basically, if you want the user to have a command line, use a standard menu. If you don’t, set the initial menu to *SIGNOFF and have a program control their actions.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Splat
    This is the help text associated with the INLMNU parameter: 

    *SIGNOFF                                                  
        The system signs off the user when the program        
        completes.  This is intended for users authorized only
        to run the program.                                   
    12,865 pointsBadges:
    report
  • aldc123
    Okay. What if I have some inappropriate accesses to command line - how would I mitigate that from a risk perspective?
    100 pointsBadges:
    report
  • Splat
    You can use the user profile LMTCPB parameter to restrict some of the commands the user accesses. While you're at it you'd probably be well served by reviewing the authorities you're granting to users.
    12,865 pointsBadges:
    report
  • TheRealRaven
    It depends on what you mean by "inappropriate accesses".

    If a user doesn't have authority to inappropriately alter objects, then it doesn't matter what they do on a command line. If a user isn't granted the authority to delete FILEX, the user can run a DLTF FILEX command as many times as wanted; but FILEX won't be deleted. If the file isn't deleted, would you consider "DLTF FILEX" to be an "inappropriate access"?

    But if you give a user the authority to delete FILEX and the user deletes it, is that then "inappropriate access"? When you give out excess authority, how is any user supposed to know what's "inappropriate"?

    The only reason to worry about a command line is because users have way too much authority. Under that circumstance, command lines are not the biggest worry.
    34,485 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: