OS/400 command line

5 pts.
Is there a way not to display the OS400 command line when working with output queue? Our Internal auditor came up with recommendation to omit the OS/400 comman line while working with an output queue since access to it will result to security exposure.

Software/Hardware used:
RPG/iSeries 400

Answer Wiki

Thanks. We'll let you know when a new response is added.

Without writing your own command, it cannot be done.
BUT, you can let your auditor know that you can Limit capabilities of a user by their USRPRF. The can be restriced from using the CMD line, from using selected objects, etc. Try to explaing OS400 security to them

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • jinteik
    im not sure for not to display, but u can put the limit capabilities.
    18,995 pointsBadges:
  • TomLiotta
    Your auditor should know that any security exposure from a command line indicates worse security problems than an exposed command line. Users shouldn't have authority to cause damage from any command that they might enter. If they have sufficient authority to cause damage through a command line, then the authority is where the exposure is. For example, a user might enter this command:
    If that command actually succeeds in deleting a payroll master file, then the security exposure is that the user has authority to delete an important file. That authority should not exist. If the authority doesn't exist, then users can run the command as many times as they want and nothing will happen. Further, it won't matter what interface the users go through. The user might try the FILE menu, take option 1 to "Work with files", enter PAYLIB/PAYMASTER as the file to work with, and finally take option 4=Delete. That will cause a DLTF command to be executed without typing it into a command line. But it won't delete a file that the user doesn't have authority to delete. Or an ODBC user might try to DROP the table from a remote PC. But it won't succeed if the authority doesn't exist. A command line shouldn't be the focus of an audit. Unfortunately, auditors generally don't know what they should be looking for. So, you're pretty much stuck with CharlieBrowne's answer. You can't get rid of the WRKSPLF command line. You can only replace it with programming that you write (or buy). Tom
    125,585 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: