Due to a recent Sarbanes-Oxley (SOX) audit we need to limit command line access from our users. Many of the legacy a/r, o/e menus contain a call to QCMDEXC for basic commands such as WRKSPLF, WRKSBMJOB. Do you have a suggestion to accomplish this without changing each menu?
There is an attribute associated with a user profile called:

LMTCPB - Limit capabilities

Its use is explained quite well in OS400 Command HELP...

Limit capabilities (LMTCPB) - Help

Specifies the limit to which the user can control the program, menu, current library, and the ATTN key handling program values. It also determines whether the user can run commands from a command line. This parameter is ignored when the security level is 10.

Note: When creating or changing other users' user profiles, you cannot specify values on this parameter that grant greater capabilities to other users than your own user profile grants to you. For example, if *PARTIAL is specified for the Limit capabilities (LMTCPB) parameter in your user profile, you can specify *PARTIAL or *YES for another user. You cannot specify *NO for another user.

*NO

The program, menu, and current library values can be changed when the user signs on the system. Users may change the program, menu, current library, or ATTN key handling program values in their own user profiles with the Change Profile (CHGPRF) command. Commands can be run from a command line.

*PARTIAL

The program and current library cannot be changed on the sign-on display. The menu can be changed and commands can be run from a command line. A user can change the menu value with the Change Profile (CHGPRF) command. The program, current library, and the ATTN key handling program cannot be changed using the CHGPRF command.

*YES

The program, menu, and current library values cannot be changed on the sign-on display. Commands cannot be run when issued from a command line or by selecting an option from a command grouping menu such as CMDADD, but can still be run from a command entry screen.

The user cannot change the program, menu, current library, or the ATTN key program handling values by using the CHGPRF command.

Once you have set a user profile to LMTCPB(*YES) the only way a command can be executed from a command line is if the command's attribute ALWLMTUSR (Allow limited users) is set to *YES.

Allow limited users (ALWLMTUSR) - Help

Specifies whether the command can be entered from the command line on a menu by a user whose profile is set for limited capabilities (the LMTCPB keyword on the Create User Profile (CRTUSRPRF) and Change User Profile (CHGUSRPRF) commands).

*SAME

The limited user authority does not change.

*NO

This command cannot be entered from the command line on a menu by a user whose profile is set for limited capabilities.

*YES

This command can be entered from the command line on a menu by a user whose profile is set for limited capabilities.

Some IBM command have this value set by default, for example DSPJOB, but most don't. Do a DSPCMD DSPJOB to see "Allow limited user . . . . . . . . . . : *YES".

Using these two attributes you should be able to easily satisfy your Sarbanes/Oxley audit requirements.

This was first published in November 2004

Back to top