EXPERT RESPONSE
There is an attribute associated with a user profile called:
LMTCPB - Limit capabilities
Its use is explained quite well in OS400 Command HELP...
Limit capabilities (LMTCPB) - Help
Specifies the limit to which the user can control the program, menu,
current library, and the ATTN key handling program values. It also
determines whether the user can run commands from a command line. This
parameter is ignored when the security level is 10.
Note: When creating or changing other users' user profiles, you
cannot specify values on this parameter that grant greater
capabilities to other users than your own user profile grants to
you. For example, if *PARTIAL is specified for the Limit
capabilities (LMTCPB) parameter in your user profile, you can
specify *PARTIAL or *YES for another user. You cannot specify *NO
for another user.
*NO
The program, menu, and current library values can be changed when
the user signs on the system. Users may change the program, menu,
current library, or ATTN key handling program values in their own
user profiles with the Change Profile (CHGPRF) command. Commands can
be run from a command line.
*PARTIAL
The program and current library cannot be changed on the sign-on
display. The menu can be changed and commands can be run from a
command line. A user can change the menu value with the Change
Profile (CHGPRF) command. The program, current library, and the ATTN
key handling program cannot be changed using the CHGPRF command.
*YES
The program, menu, and current library values cannot be changed on
the sign-on display. Commands cannot be run when issued from a
command line or by selecting an option from a command grouping menu
such as CMDADD, but can still be run from a command entry screen.
The user cannot change the program, menu, current library, or the
ATTN key program handling values by using the CHGPRF command.
Once you have set a user profile to LMTCPB(*YES) the only way a command can be executed from a command line is if the command's attribute ALWLMTUSR (Allow limited users) is set to *YES.
Allow limited users (ALWLMTUSR) - Help
Specifies whether the command can be entered from the command line on a
menu by a user whose profile is set for limited capabilities (the LMTCPB
keyword on the Create User Profile (CRTUSRPRF) and Change User Profile
(CHGUSRPRF) commands).
*SAME
The limited user authority does not change.
*NO
This command cannot be entered from the command line on a menu by a
user whose profile is set for limited capabilities.
*YES
This command can be entered from the command line on a menu by a
user whose profile is set for limited capabilities.
Some IBM command have this value set by default, for example DSPJOB, but most don't. Do a DSPCMD DSPJOB to see "Allow limited user . . . . . . . . . . : *YES".
Using these two attributes you should be able to easily satisfy your Sarbanes/Oxley audit requirements.
|
