I believe what your looking for is a TCP exit program. you can locate the exit programs using the WRKREGINF command. You might want to look at third party product like PowerLock to secure them. Very easy to install and activate.
Object-level security is the way to go. I assume you know that because of your “BPCS security” comment.
The next step would be to use iSeries Navigator. Right-click your Connection and select Application Administration. You’ll want to review most things in there. Under the Client Applications tab, you should find how to restrict File Transfer, ODBC, etc., for groups or individuals. Under the Host Applications tab, you should find TCP/IP Utilities with FTP inside.
AppAdmin isn’t perfect. It misses a lot of granularity. But sometimes it’s good enough. There are related APIs if you want programmed control.
Next would be writing some exit programs. If requirements remain simple, the programs can be simple too. That’s a good thing because exit point programming can be sensitive to PTFs, upgrades and even changing LPPs. Some of the details get almost diabolic. And mistakes in your logic can result in opening access wider rather than asserting stronger control. At the worst, you can unintentionally open your system to the world. (“Come on in! No passwords needed!”)
Next would be commercial exit point products. <Disclaimer: I am employed by PowerTech, the company that created PowerLock — now Network Security.>
There are a lot of options, not all of them mentioned yet. But those are the likely directions you’d look.