Due to a recent Sarbanes-Oxley (SOX) audit we need to limit command line access from our users. Many of the legacy a/r, o/e menus contain a call to QCMDEXC for basic commands such as WRKSPLF, WRKSBMJOB. Do you have a suggestion to accomplish this without changing each menu?
There is an attribute associated with a user profile called:
LMTCPB - Limit capabilities
Its use is explained quite well in OS400 Command HELP...
Limit capabilities (LMTCPB) - Help
Specifies the limit to which the user can control the program, menu, current library, and the ATTN key handling program values. It also determines whether the user can run commands from a command line. This parameter is ignored when the security level is 10.
Note: When creating or changing other users' user profiles, you cannot specify values on this parameter that grant greater capabilities to other users than your own user profile grants to you. For example, if *PARTIAL is specified for the Limit capabilities (LMTCPB) parameter in your user profile, you can specify *PARTIAL or *YES for another user. You cannot specify *NO for another user.
The program, menu, and current library values can be changed when the user signs on the system. Users may change the program, menu, current library, or ATTN key handling program values in their own user profiles with the Change Profile (CHGPRF) command. Commands can be run from a command line.
The program and current library cannot be changed on the sign-on display. The menu can be changed and commands can be run from a command line. A user can change the menu value with the Change Profile (CHGPRF) command. The program, current library, and the ATTN key handling program cannot be changed using the CHGPRF command.
The program, menu, and current library values cannot be changed on the sign-on display.
The user cannot change the program, menu, current library, or the ATTN key program handling values by using the CHGPRF command.
Allow limited users (ALWLMTUSR) - Help
Specifies whether the command can be entered from the command line on a menu by a user whose profile is set for limited capabilities (the LMTCPB keyword on the Create User Profile (CRTUSRPRF) and Change User Profile (CHGUSRPRF) commands).
The limited user authority does not change.
This command cannot be entered from the command line on a menu by a user whose profile is set for limited capabilities.
This command can be entered from the command line on a menu by a user whose profile is set for limited capabilities.
Using these two attributes you should be able to easily satisfy your Sarbanes/Oxley audit requirements.
Dig Deeper on Past Releases
Related Q&A from Ken Graap
Find out if log files can be omitted during a save without causing problems in a full restore. Continue Reading
The BRMS Network feature allows a BRMS system to connect to other BRMS systems via a network, and enables a user to consolidate media such as backup ... Continue Reading
The only option to correct damage preventing file journaling is to use the RCLSTG command. Continue Reading