OS/400 System Security; Limiting User Capabilities

IBM iSeries
tips and tricks
We have set up our AS/400 user profiles with Limit Capabilities *NO. However, this does not keep them from being able to enter a command on a command line. How do we accomplish this?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Have you cahnge to command(which ever command you want them not to use) to say limited users no

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TheQuigs
    If you really mean that your user profiles are LMTCPB(*NO), you're living dangerously. The only way to prevent the users from entering a command is to revoke authority to the command (RVKOBJAUT) for the user. It's better to have most users LMBCPB(*YES) -- then they can't enter commands like CLRPFM and wipe out production data. Several commands are still available to LMTCPB(*YES) users such as: WRKSBMJOB, DSPMSG, ....
    0 pointsBadges:
  • astradyne
    Why? If you don't want your users to enter a command on the command line, then you should set the Limit Capabilities parameter for the user to *YES. If you want the user to use certain commands there is an attribute on all commands "Allow Limited Users", ALWLMTUSR, which you can set to yes so that users can use it. Use the command: CHGCMD command ALWLMTUSR(*YES) ALWLMTUSR(*YES) allows the user to enter the command directly on a command line. Commands with ALWLMTUSR(*NO) can still be run by users if they are "wrapped" by CL programs and put on menus, etc. All the best Jonathan
    370 pointsBadges:
  • TomLiotta
    Always be aware that the LMTCPB() attribute of a user profile refers to _command line_ execution of commands. This attribute has been around from the beginning, before such concerns as network access became an issue. LMTCPB() says _nothing_ about whether a user can cause commands to be executed through FTP subcommands for example. Or a user might be restricted from the DLTF command on a command line, but that same user could easily right-click the file in a Windows Network Neighborhood view and select 'Delete' from the context menu. Or... well, there are too many possibilities to consider unless you truly restrict access to direct-attach terminals or telnet sessions.
    125,585 pointsBadges:
  • TomLiotta
    If you don't want users entering commands on command lines, why are command lines being presented to the users? Users should be able to enter any command and run it. It's not the command that's dangerous -- it's the authorities or capabilities that you have granted to the users. A user who doesn't have the authority to delete a file can run the DLTF command all day long and the file still won't be deleted. Tom
    125,585 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: