Another, less robust (but free!) method is to configure the TCP/IP portion of Application Administration (which is a feature of iSeries Navigator) to disallow FTP functions for selected (or all) users. To get to Application Administration, open an iSeries Navigator session, right click on the system name and choose "Application Administration." Click on the "Host Applications" tab. Open "TCP/IP Utilities for iSeries" and then open "File Transfer Protocol." From here you can click on the service you want to allow or disallow and then click the Customize button. From here you can add users to allow or disallow. In V5R3 there are green screen commands such as Work with Function Usage (WRKFCNUSG) you can use to configure who can use FTP, but I find the Application Administration interface much easier to use.
The Application Administration approach is an all or nothing method, meaning if you want to allow users to download some files but not all files, this method is not granular enough. In this case you may want to check out one of the many vendors that provide exit program solutions, as they are all quite granular as to who can do what through exit programs (FTP, ODBC, DDM, etc.). The limitation is that the control is ONLY through exit programs that OS/400 and i5/OS have defined and, therefore, will not be in effect through interfaces such as Web applications, sockets or command-line access.
Dig Deeper on FTP
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading