Q
Manage Learn to apply best practices and optimize your operations.

Restricting specific user command line access

On i5/OS, to give command line access to users but restrict certain parameter values for some selective commands, Ken Graap recommends that a combination of the "Limit Capabilities" attribute be used in combination with the "Allow Limited User" attribute.

Need to provide as/400 command line access to users but restrict certain parameter values for some selective commands. (Actually, we are developing a command-line access utility that uses the list of allowed commands for each user from a control file. Also this control table will contain allowed parameters and parameter values for specific commands.) Is that possible easily?
Another thing you can take a look at is the "Limit Capabilities" attribute on a user profile in combination with the "Allow Limited User" attribute of a command.

You can limit command line usage for users by setting their "Limit Capabilities" attribute.

For example:

CHGUSRPRF USRPRF(KGRAAP) LMTCPB(*YES)  

Limit capabilities (LMTCPB) – IBM Supplied Help

Specifies the limit to which the user can control the program, menu, current library, and the ATTN key handling program values. It also determines whether the user can run commands from a command line. This parameter is ignored when the security level is 10.

Note: When creating or changing other users' user profiles, you cannot specify values on this parameter that grant greater capabilities to other users than your own user profile grants to you. For example, if *PARTIAL is specified for the Limit capabilities (LMTCPB) parameter in your user profile, you can specify *PARTIAL or *YES for another user. You cannot specify

*NO for another user.

*SAME
The value does not change.

*NO
The program, menu, and current library values can be changed when the user signs on the system. Users may change the program, menu, current library, or ATTN key handling program values in their own user profiles with the Change Profile (CHGPRF) command. Commands can be run from a command line.

*PARTIAL
The program and current library cannot be changed on the sign-on display. The menu can be changed and commands can be run from a command line. A user can change the menu value with the Change Profile (CHGPRF) command. The program, current library, and the ATTN key handling program cannot be changed using the CHGPRF command.

*YES
The program, menu, and current library values cannot be changed on the sign-on display. Commands cannot be run when issued from a command line or by selecting an option from a command grouping menu such as CMDADD, but can still be run from a command entry screen. The user cannot change the program, menu, current library, or the ATTN key program handling values by using the CHGPRF command.

You can then change commands so they can be run by a "Limited Capabilities" user.

For example:

CHGCMD CMD(MyCommand) ALWLMTUSR(*YES)

Allow limited users (ALWLMTUSR) – IBM Supplied Help

Specifies whether the command can be entered from the command line on a menu by a user whose profile is set for limited capabilities (the LMTCPB keyword on the Create User Profile (CRTUSRPRF) and change User Profile (CHGUSRPRF) commands).

*SAME
The limited user authority does not change.

*NO
This command cannot be entered from the command line on a menu by a user whose profile is set for limited capabilities.

*YES
This command can be entered from the command line on a menu by a user whose profile is set for limited capabilities.

Some IBM commands, like DSPJOB are already set up with LMTCPB(*YES)

These simple attribute changes will let you easily control what commands can be executed from a command line. If you also want to restrict what command parameters can be changed by a user, you could do this via a command validity checking program. For more information on Validity Checking Programs, do a Google search and you'll find lots of stuff.

Here is an example though of a Validity Checking Program that limits which users can specify USER(*ALL) on the WRKSPLF command:

/* ************************************************************** */     
/* PROGRAM DESCRIPTION :                                          */     
/*                                                                */     
/* VALIDITY CHECKING PROGRAM FOR THE WRKSPLF                      */     
/*                                                                */     
/* SPECIAL COMPILE OPTIONS: NONE                                  */     
/*                                                                */     
/*           WRITTEN BY: KEN GRAAP 12/11/02                       */     
/*           UPDATED BY:                                          */     
/*                                                                */     
/* ************************************************************** */     
             PGM   PARM(&P1 &P2 &P3 &P4 &P5 &P6 &P7)                     
/* ************************************************************** */     
/*                                                                */     
/* DECLARE PROGRAM VARIABLES                                      */     
/*                                                                */     
/* ************************************************************** */     
             DCL        &ERRORSW *LGL                     /* Std err */  
             DCL        &MSGID *CHAR LEN(7)               /* Std err */     
             DCL        &MSGDTA *CHAR LEN(100)            /* Std err */     
             DCL        &MSGF *CHAR LEN(10)               /* Std err */     
             DCL        &MSGFLIB *CHAR LEN(10)            /* Std err */     
             DCL        VAR(&P1) TYPE(*CHAR) LEN(44)                        
             DCL        VAR(&P2) TYPE(*CHAR) LEN(7)                         
             DCL        VAR(&P3) TYPE(*CHAR) LEN(10)                        
             DCL        VAR(&P4) TYPE(*CHAR) LEN(1)                         
             DCL        VAR(&P5) TYPE(*CHAR) LEN(6)                         
             DCL        VAR(&P6) TYPE(*CHAR) LEN(10)                        
             DCL        VAR(&P7) TYPE(*CHAR) LEN(26)                        
             DCL        VAR(&USER) TYPE(*CHAR) LEN(10)                      
             DCL        VAR(&USERPARM) TYPE(*CHAR) LEN(10)                  
/* ************************************************************** */  
/*                                                                */  
/* GLOBAL MESSAGE MONITOR                                         */  
/*                                                                */  
/* ************************************************************** */  
             MONMSG     MSGID(CPF0000) EXEC(GOTO CMDLBL(STDERR1))     
/* ************************************************************** */  
/*                                                                */  
/* RETRIVE USER NAME... ONLY ALLOW USER(*ALL) FOR CERTAIN USERS   */  
/*                                                                */  
/* ************************************************************** */  

             RTVJOBA    USER(&USER)                                   

/*  RETURN IF THE USER IS AUTHORIZED TO USE ALL PARAMETER VALUES  */   
           IF         COND(&USER *EQ QSYSOPR *OR &USER *EQ QSECOFR +   
                        *OR &USER *EQ QSRV) THEN(GOTO CMDLBL(END))     

 /*  PARSE THE COMMAND PARAMETERS                                  */                                                                           
            CHGVAR     VAR(&USERPARM) VALUE(%SST(&P1 3 10))             

/*   CHECK THE VALUE OF THE PARAMETER USER                         */   

            IF         COND(&USERPARM *NE *ALL) THEN(GOTO CMDLBL(END))  

/*   USER IS NOT ALLOWED TO EXECUTE  WRKSPLF WITH USER *ALL        */   
/*   SEND A DIAGNOSTIC MESSAGE TO THE USER.                        */

 NOT_OK:     SNDPGMMSG  MSGID(CPD0006) MSGF(QCPFMSG) MSGDTA('0000 +   
                          YOU ARE NOT AUTHORIZED TO USE PARAMETER +   
                          USER *ALL.') MSGTYPE(*DIAG)                 

  /*   MESSAGE CPF0002  IS USED IN VALIDITY CHECKING PROGRAMS TO     *
  /*   INDICATE AN ERROR CONDITION                                   *

             SNDPGMMSG  MSGID(CPF0002) MSGF(QSYS/QCPFMSG) +           
                          MSGTYPE(*ESCAPE)                            
/* ************************************************************** */  
/*                                                                */  
/* NORMAL END OF PROGRAM                                          */  
/*                                                                */  
/* ************************************************************** */     
 END:        RETURN                                                      
/* ************************************************************** */     
/*                                                                */     
/* STANDARD ERROR PROCESSING                                      */     
/*                                                                */     
/* ************************************************************** */     
 STDERR1:               /* Standard error handling routine */            
             IF         &ERRORSW SNDPGMMSG MSGID(CPF9999) +              
                          MSGF(QCPFMSG) MSGTYPE(*ESCAPE) /* Func chk */  
             CHGVAR     &ERRORSW '1' /* Set to fail ir error occurs */   
 STDERR2:    RCVMSG     MSGTYPE(*DIAG) MSGDTA(&MSGDTA) MSGID(&MSGID) +   
                          MSGF(&MSGF) MSGFLIB(&MSGFLIB)                  
             IF         (&MSGID *EQ '       ') GOTO STDERR3              
             SNDPGMMSG  MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) +             
                          MSGDTA(&MSGDTA) MSGTYPE(*DIAG)                 
            GOTO       STDERR2 /* Loop back for addl diagnostics */     
 STDERR3:    RCVMSG     MSGTYPE(*EXCP) MSGDTA(&MSGDTA) MSGID(&MSGID) +   
                          MSGF(&MSGF) MSGFLIB(&MSGFLIB)                  
             SNDPGMMSG  MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) +                          
                          MSGDTA(&MSGDTA) MSGTYPE(*ESCAPE)                            
             ENDPGM                                                                   
                      * * * * *   E N D   O F   S O U R C E   * * * * *               
 

To associate this validity checking program with the WRKSPLF command I entered this command:

CHGCMD CMD(WRKSPLF) VLDCKR(QGPL/VALWRKSPLF)
/* PROGRAM DESCRIPTION :                                          */     
/*                                                                */     
/* VALIDITY CHECKING PROGRAM FOR THE WRKSPLF                      */     
/*                                                                */     
/* SPECIAL COMPILE OPTIONS: NONE                                  */     
/*                                                                */     
/*           WRITTEN BY: KEN GRAAP 12/11/02                       */     
/*           UPDATED BY:                                          */     
/*                                                                */     
/* ************************************************************** */     
             PGM   PARM(&P1 &P2 &P3 &P4 &P5 &P6 &P7)                     
/* ************************************************************** */     
/*                                                                */     
/* DECLARE PROGRAM VARIABLES                                      */     
/*                                                                */     
/* ************************************************************** */     
             DCL        &ERRORSW *LGL                     /* Std err */  
             DCL        &MSGID *CHAR LEN(7)               /* Std err */     
             DCL        &MSGDTA *CHAR LEN(100)            /* Std err */     
             DCL        &MSGF *CHAR LEN(10)               /* Std err */     
             DCL        &MSGFLIB *CHAR LEN(10)            /* Std err */     
             DCL        VAR(&P1) TYPE(*CHAR) LEN(44)                        
             DCL        VAR(&P2) TYPE(*CHAR) LEN(7)                         
             DCL        VAR(&P3) TYPE(*CHAR) LEN(10)                        
             DCL        VAR(&P4) TYPE(*CHAR) LEN(1)                         
             DCL        VAR(&P5) TYPE(*CHAR) LEN(6)                         
             DCL        VAR(&P6) TYPE(*CHAR) LEN(10)                        
             DCL        VAR(&P7) TYPE(*CHAR) LEN(26)                        
             DCL        VAR(&USER) TYPE(*CHAR) LEN(10)                      
             DCL        VAR(&USERPARM) TYPE(*CHAR) LEN(10)                  
/* ************************************************************** */  
/*                                                                */  
/* GLOBAL MESSAGE MONITOR                                         */  
/*                                                                */  
/* ************************************************************** */  
             MONMSG     MSGID(CPF0000) EXEC(GOTO CMDLBL(STDERR1))     
/* ************************************************************** */  
/*                                                                */  
/* RETRIVE USER NAME... ONLY ALLOW USER(*ALL) FOR CERTAIN USERS   */  
/*                                                                */  
/* ************************************************************** */  
           RTVJOBA    USER(&USER)                                   
/*  RETURN IF THE USER IS AUTHORIZED TO USE ALL PARAMETER VALUES  */   

          IF         COND(&USER *EQ QSYSOPR *OR &USER *EQ QSECOFR +   
                         *OR &USER *EQ QSRV) THEN(GOTO CMDLBL(END))     
 /*  PARSE THE COMMAND PARAMETERS                                  */   
           CHGVAR     VAR(&USERPARM) VALUE(%SST(&P1 3 10))             
/*   CHECK THE VALUE OF THE PARAMETER USER                         */   
         IF         COND(&USERPARM *NE *ALL) THEN(GOTO CMDLBL(END))  
/*   USER IS NOT ALLOWED TO EXECUTE  WRKSPLF WITH USER *ALL        */   
/*   SEND A DIAGNOSTIC MESSAGE TO THE USER.                        */

NOT_OK:     SNDPGMMSG  MSGID(CPD0006) MSGF(QCPFMSG) MSGDTA('0000 +   
                          YOU ARE NOT AUTHORIZED TO USE PARAMETER +   
                          USER *ALL.') MSGTYPE(*DIAG)                 
  /*   MESSAGE CPF0002  IS USED IN VALIDITY CHECKING PROGRAMS TO     *
  /*   INDICATE AN ERROR CONDITION                                   *
             SNDPGMMSG  MSGID(CPF0002) MSGF(QSYS/QCPFMSG) +           
                          MSGTYPE(*ESCAPE)                            
/* ************************************************************** */  
/*                                                                */  
/* NORMAL END OF PROGRAM                                          */  
/*                                                                */  
/* ************************************************************** */     
 END:        RETURN                                                      
/* ************************************************************** */     
/*                                                                */     
/* STANDARD ERROR PROCESSING                                      */     
/*                                                                */     
/* ************************************************************** */     
 STDERR1:               /* Standard error handling routine */            
             IF         &ERRORSW SNDPGMMSG MSGID(CPF9999) +              
                          MSGF(QCPFMSG) MSGTYPE(*ESCAPE) /* Func chk */  
             CHGVAR     &ERRORSW '1' /* Set to fail ir error occurs */   
 STDERR2:    RCVMSG     MSGTYPE(*DIAG) MSGDTA(&MSGDTA) MSGID(&MSGID) +   
                          MSGF(&MSGF) MSGFLIB(&MSGFLIB)                  
             IF         (&MSGID *EQ '       ') GOTO STDERR3              
             SNDPGMMSG  MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) +             
                          MSGDTA(&MSGDTA) MSGTYPE(*DIAG)                 
             GOTO       STDERR2 /* Loop back for addl diagnostics */     
 STDERR3:    RCVMSG     MSGTYPE(*EXCP) MSGDTA(&MSGDTA) MSGID(&MSGID) +   
                          MSGF(&MSGF) MSGFLIB(&MSGFLIB)                  
             SNDPGMMSG  MSGID(&MSGID) MSGF(&MSGFLIB/&MSGF) +                          
                          MSGDTA(&MSGDTA) MSGTYPE(*ESCAPE)                            
             ENDPGM                                                                   
                      * * * * *   E N D   O F   S O U R C E   * * * * *               

To associate this validity checking program with the WRKSPLF command I entered this command:

CHGCMD CMD(WRKSPLF) VLDCKR(QGPL/VALWRKSPLF)
This was last published in June 2008

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close