Setting up AS400 User Profile

250 pts.
AS/400 security
AS/400 user profiles
Currently, our users all have command line access and they have figured out how to change their batch jobs to run in another job queue. I set up a test user with user class=*user, limit capabilities=*yes and special authority=*no. However, the user can still change his jobs to run in another queue and he still has access to a command line. What am I doing wrong? Also, I don't know if it matters but our level of security on our AS400 is 30 and we are currently on operating system V5R4.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Do the usrprfs have an initial program that is giving them command line access? If not, change the attention program to *NONE and they shouldn’t be able to get to a command line. Also, verify that the intial pgm is not adopting authority of a user with *JOBCTL.

– – – – – – – – – – – – – – – – – – – — –

on the user profiles of those you need to disarm, specify ‘Limit Capabilities’
here’s the help text

Limit Capabilities – Help

o *YES: The user cannot change the initial program,
initial menu, current library, and attention key
handling programs. The user cannot run commands from
command lines.

you will need to ensure they can access everything they need to do their jobs from a menu….



If you don’t want users submitting jobs to particular job queues, why do they have authority to those queues? Remove the job queue authority.


Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • RVP400
    DanD, even without and attention program, its still possible to acces a command line via the "Work with printer output" option on the "Operational Assistant (TM) Menu". GHENDER, you need to go deeper. I agree with DanD on one thing - without *JOBCTL they should be more limited, but if you want to prevent them from changing their jobs, try the following: Create user groups (IT, power-users, normal-users and so on); Set the group of each user on the system; Change the CHGJOB command(s) (this is a bit dangerous and must be done only as a last resort!!) authorities in order to *EXCLUDE the "normal-users" group, for instance. Or all groups except IT, but leave the Qxxxx authorities as they are.
    270 pointsBadges:
  • TomLiotta
    Note that *JOBCTL is not needed for a user to control his/her own jobs. *JOBCTL lets users control other users' jobs. Tom
    125,585 pointsBadges:
  • Teandy
    Take away public authority to the CHGJOB command.
    5,860 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: