|
Another thing you can take a look at is the "Limit Capabilities" attribute on a user profile in combination with the "Allow Limited User" attribute of a command.
You can limit command line usage for users by setting their "Limit Capabilities" attribute.
For example: CHGUSRPRF USRPRF(KGRAAP) LMTCPB(*YES)
Limit capabilities (LMTCPB) – IBM Supplied Help
Specifies the limit to which the user can control the program, menu, current library, and the ATTN key handling program values. It also determines whether the user can run commands from a command line. This parameter is ignored when the security level is 10.
Note: When creating or changing other users' user profiles, you cannot specify values on this parameter that grant greater capabilities to other users than your own user profile grants to you. For example, if *PARTIAL is specified for the Limit capabilities (LMTCPB) parameter in your user profile, you can specify *PARTIAL or *YES for another user. You cannot specify
*NO for another user.
*SAME
The value does not change.
*NO
The program, menu, and current library values can be changed when the user signs on the system. Users may change the program, menu, current library, or ATTN key handling program values in their own user profiles with the Change Profile (CHGPRF) command. Commands can be run from a command line.
*PARTIAL
The program and current library cannot be changed on the sign-on display. The menu can be changed and commands can be run from a command line. A user can change the menu value with the Change Profile (CHGPRF) command. The program, current library, and the ATTN key handling program cannot be changed using the CHGPRF command.
*YES
The program, menu, and current library values cannot be changed on the sign-on display. Commands cannot be run when issued from a command line or by selecting an option from a command grouping menu such as CMDADD, but can still be run from a command entry screen. The user cannot change the program, menu, current library, or the ATTN key program handling values by using the CHGPRF command.
You can then change commands so they can be run by a "Limited Capabilities" user.
For example:
CHGCMD CMD(MyCommand) ALWLMTUSR(*YES)
Allow limited users (ALWLMTUSR) – IBM Supplied Help
Specifies whether the command can be entered from the command line on a menu by a user whose profile is set for limited capabilities (the LMTCPB keyword on the Create User Profile (CRTUSRPRF) and change User Profile (CHGUSRPRF) commands).
*SAME
The limited user authority does not change.
*NO
This command cannot be entered from the command line on a menu by a user whose profile is set for limited capabilities.
*YES
This command can be entered from the command line on a menu by a user whose profile is set for limited capabilities.
Some IBM commands, like DSPJOB are already set up with LMTCPB(*YES)
These simple attribute changes will let you easily control what commands can be executed from a command line. If you also want to restrict what command parameters can be changed by a user, you could do this via a command validity checking program. For more information on Validity Checking Programs, do a Google search and you'll find lots of stuff.
Here is an example though of a Validity Checking Program that limits which users can specify USER(*ALL) on the WRKSPLF command:
/* ************************************************************** */
/* PROGRAM DESCRIPTION : */
/* */
/* VALIDITY CHECKING PROGRAM FOR THE WRKSPLF */
/* */
/* SPECIAL COMPILE OPTIONS: NONE */
/* */
/* WRITTEN BY: KEN GRAAP 12/11/02 */
/* UPDATED BY: */
/* */
/* ************************************************************** */
PGM PARM(&P1 &P2 &P3 &P4 &P5 &P6 &P7)
/* ************************************************************** */
/* */
/* DECLARE PROGRAM VARIABLES */
/* */
/* ************************************************************** */
DCL &ERRORSW *LGL /* Std err */
DCL &MSGID *CHAR LEN(7) /* Std err */
DCL &MSGDTA *CHAR LEN(100) /* Std err */
DCL &MSGF *CHAR LEN(10) /* Std err */
DCL &MSGFLIB *CHAR LEN(10) /* Std err */
DCL VAR(&P1) TYPE(*CHAR) LEN(44)
DCL VAR(&P2) TYPE(*CHAR) LEN(7)
DCL VAR(&P3) TYPE(*CHAR) LEN(10)
DCL VAR(&P4) TYPE(*CHAR) LEN(1)
DCL VAR(&P5) TYPE(*CHAR) LEN(6)
DCL VAR(&P6) TYPE(*CHAR) LEN(10)
DCL VAR(&P7) TYPE(*CHAR) LEN(26)
DCL VAR(&USER) TYPE(*CHAR) LEN(10)
DCL VAR(&USERPARM) TYPE(*CHAR) LEN(10)
/* ************************************************************** */
/* */
/* GLOBAL MESSAGE MONITOR */
/* */
/* ************************************************************** */
MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(STDERR1))
/* ************************************************************** */
/* */
/* RETRIVE USER NAME... ONLY ALLOW USER(*ALL) FOR CERTAIN USERS */
/* */
/* ************************************************************** */
RTVJOBA USER(&USER)
/* RETURN IF THE USER IS AUTHORIZED TO USE ALL PARAMETER VALUES */
IF COND(&USER *EQ QSYSOPR *OR &USER *EQ QSECOFR +
*OR &USER *EQ QSRV) THEN(GOTO CMDLBL(END))
/* PARSE THE COMMAND PARAMETERS */
CHGVAR VAR(&USERPARM) VALUE(%SST(&P1 3 10))
/* CHECK THE VALUE OF THE PARAMETER USER */
IF COND(&USERPARM *NE *ALL) THEN(GOTO CMDLBL(END))
/* USER IS NOT ALLOWED TO EXECUTE WRKSPLF WITH USER *ALL */
/* SEND A DIAGNOSTIC MESSAGE TO THE USER. */
NOT_OK: SNDPGMMSG MSGID(CPD0006) MSGF(QCPFMSG) MSGDTA('0000 +
YOU ARE NOT AUTHORIZED TO USE PARAMETER +
USER *ALL.') MSGTYPE(*DIAG)
/* MESSAGE CPF0002 IS USED IN VALIDITY CHECKING PROGRAMS TO *
/* INDICATE AN ERROR CONDITION *
SNDPGMMSG MSGID(CPF0002) MSGF(QSYS/QCPFMSG) +
MSGTYPE(*ESCAPE)
/* ************************************************************** */
/* */
/* NORMAL END OF PROGRAM */
/* */
/* ************************************************************** */
END: RETURN
/* ************************************************************** */
/* */
/* STANDARD ERROR PROCESSING */
/* */
/* ************************************************************** */
STDERR1: /* Standard error handling routine */
IF &ERRORSW SNDPGMMSG MSGID(CPF9999) +
MSGF(QCPFMSG) MSGTYPE(*ESCAPE) /* Func chk */
CHGVAR &ERRORSW '1' /* Set to fail ir error occurs */
STDERR2: RCVMSG MSGTYPE(*DIAG) MSGDTA(&MSGDTA) MSGID(&MSGID) +
MSGF(&MSGF) MSGFLIB(&MSGFLIB)
IF (&MSGID *EQ ' ') GOTO STDERR3
SNDPGMMSG MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) +
MSGDTA(&MSGDTA) MSGTYPE(*DIAG)
GOTO STDERR2 /* Loop back for addl diagnostics */
STDERR3: RCVMSG MSGTYPE(*EXCP) MSGDTA(&MSGDTA) MSGID(&MSGID) +
MSGF(&MSGF) MSGFLIB(&MSGFLIB)
SNDPGMMSG MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) +
MSGDTA(&MSGDTA) MSGTYPE(*ESCAPE)
ENDPGM
* * * * * E N D O F S O U R C E * * * * *
To associate this validity checking program with the WRKSPLF command I entered this command:
CHGCMD CMD(WRKSPLF) VLDCKR(QGPL/VALWRKSPLF)
/* PROGRAM DESCRIPTION : */
/* */
/* VALIDITY CHECKING PROGRAM FOR THE WRKSPLF */
/* */
/* SPECIAL COMPILE OPTIONS: NONE */
/* */
/* WRITTEN BY: KEN GRAAP 12/11/02 */
/* UPDATED BY: */
/* */
/* ************************************************************** */
PGM PARM(&P1 &P2 &P3 &P4 &P5 &P6 &P7)
/* ************************************************************** */
/* */
/* DECLARE PROGRAM VARIABLES */
/* */
/* ************************************************************** */
DCL &ERRORSW *LGL /* Std err */
DCL &MSGID *CHAR LEN(7) /* Std err */
DCL &MSGDTA *CHAR LEN(100) /* Std err */
DCL &MSGF *CHAR LEN(10) /* Std err */
DCL &MSGFLIB *CHAR LEN(10) /* Std err */
DCL VAR(&P1) TYPE(*CHAR) LEN(44)
DCL VAR(&P2) TYPE(*CHAR) LEN(7)
DCL VAR(&P3) TYPE(*CHAR) LEN(10)
DCL VAR(&P4) TYPE(*CHAR) LEN(1)
DCL VAR(&P5) TYPE(*CHAR) LEN(6)
DCL VAR(&P6) TYPE(*CHAR) LEN(10)
DCL VAR(&P7) TYPE(*CHAR) LEN(26)
DCL VAR(&USER) TYPE(*CHAR) LEN(10)
DCL VAR(&USERPARM) TYPE(*CHAR) LEN(10)
/* ************************************************************** */
/* */
/* GLOBAL MESSAGE MONITOR */
/* */
/* ************************************************************** */
MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(STDERR1))
/* ************************************************************** */
/* */
/* RETRIVE USER NAME... ONLY ALLOW USER(*ALL) FOR CERTAIN USERS */
/* */
/* ************************************************************** */
RTVJOBA USER(&USER)
/* RETURN IF THE USER IS AUTHORIZED TO USE ALL PARAMETER VALUES */
IF COND(&USER *EQ QSYSOPR *OR &USER *EQ QSECOFR +
*OR &USER *EQ QSRV) THEN(GOTO CMDLBL(END))
/* PARSE THE COMMAND PARAMETERS */
CHGVAR VAR(&USERPARM) VALUE(%SST(&P1 3 10))
/* CHECK THE VALUE OF THE PARAMETER USER */
IF COND(&USERPARM *NE *ALL) THEN(GOTO CMDLBL(END))
/* USER IS NOT ALLOWED TO EXECUTE WRKSPLF WITH USER *ALL */
/* SEND A DIAGNOSTIC MESSAGE TO THE USER. */
NOT_OK: SNDPGMMSG MSGID(CPD0006) MSGF(QCPFMSG) MSGDTA('0000 +
YOU ARE NOT AUTHORIZED TO USE PARAMETER +
USER *ALL.') MSGTYPE(*DIAG)
/* MESSAGE CPF0002 IS USED IN VALIDITY CHECKING PROGRAMS TO *
/* INDICATE AN ERROR CONDITION *
SNDPGMMSG MSGID(CPF0002) MSGF(QSYS/QCPFMSG) +
MSGTYPE(*ESCAPE)
/* ************************************************************** */
/* */
/* NORMAL END OF PROGRAM */
/* */
/* ************************************************************** */
END: RETURN
/* ************************************************************** */
/* */
/* STANDARD ERROR PROCESSING */
/* */
/* ************************************************************** */
STDERR1: /* Standard error handling routine */
IF &ERRORSW SNDPGMMSG MSGID(CPF9999) +
MSGF(QCPFMSG) MSGTYPE(*ESCAPE) /* Func chk */
CHGVAR &ERRORSW '1' /* Set to fail ir error occurs */
STDERR2: RCVMSG MSGTYPE(*DIAG) MSGDTA(&MSGDTA) MSGID(&MSGID) +
MSGF(&MSGF) MSGFLIB(&MSGFLIB)
IF (&MSGID *EQ ' ') GOTO STDERR3
SNDPGMMSG MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) +
MSGDTA(&MSGDTA) MSGTYPE(*DIAG)
GOTO STDERR2 /* Loop back for addl diagnostics */
STDERR3: RCVMSG MSGTYPE(*EXCP) MSGDTA(&MSGDTA) MSGID(&MSGID) +
MSGF(&MSGF) MSGFLIB(&MSGFLIB)
SNDPGMMSG MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) +
MSGDTA(&MSGDTA) MSGTYPE(*ESCAPE)
ENDPGM
* * * * * E N D O F S O U R C E * * * * *
To associate this validity checking program with the WRKSPLF command I entered this command:
CHGCMD CMD(WRKSPLF) VLDCKR(QGPL/VALWRKSPLF)
|
