AS/400 Remove Command Line Capabilities

2480 pts.
iSeries Commands
Is there a way to remove command line capabilities on the fly for a specific cmd/panel ? I understand about setting Limit Capabilities to *YES on a Users Profile.

Answer Wiki

Thanks. We'll let you know when a new response is added.


I don’t believe this is possible. What are you trying to acheive with this?


Martin Gilbert.

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • wpoulin
    QSECADM creates and deletes user profiles in our shop. Does not have the authority to delete objects owned by these profiles QSECADM is trying to delete. I initially created a CL that runs under QSECOFR authority and does wrkobjown against the profile. This gives QSECADM the bility to delete, change owner etc on these objects, but it also has command line capabilities which I don't want to allow . Another thought would be to change ownership of these objects to a temp user profile, then allow QSECADM access to these objects. Any other ideas ? Thanks, Bill
    2,480 pointsBadges:
  • bvining
    Since you asked for ideas... you could build your own streamlined version of wrkobjown. The List Objects User is Authorized to, Owns, or is Primary Group of API QSYLOBJA can be used to get a list of objects the user is authorized to. With parameter 5, Returned objects, you can request that only the objects owned be returned. You would need to call the API twice (once for library based objects, once for IFS based objects) and then, most likely, build a subfile and enable whatever actions/operations you wanted QSECADM to be able to do. Obviously a command line would not be part of your application lol Bruce Vining Integrated solutions for the System i user community
    7,070 pointsBadges:
  • wpoulin
    What I have ended up doing is writing 2 CLP's. The first does some verification ie; verifying the user running this CL is QSECADM, verifying the profile name passed to be worked with is actually a user profile etc. Then I call a 2nd CL that does DSPUSRPRF of the requested profile to an outfile, Read from the outfile and GRTOBJAUT to the objects to QSECADM. Then return to the 1st CL and use WRKOBJOWN to allow QSECADM the ability to delete, change ownership etc of the owned objects. The 1 st CL runs under *USER Authority, The 2nd CL runs under QSECOFR authority. This way even though QSECADM has command line on the WRKOBJOWN display, they are running under their own authority. Thanks for your assistance, Bill
    2,480 pointsBadges:
  • TomLiotta
    QSECADM creates and deletes user profiles in our shop. Note that having a profile of that name is potentially a bad idea. The initial letter 'Q' should be avoided. Such a name should be expected only to be created by IBM, and, as such, should be expected to be changed by IBM at any time. It probably will never happen, but the habit should be enforced. Tom
    125,585 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: