Problem solve Get help with specific problems with your technologies, process and projects.

Limiting command line for query users

1. Create a duplicate Start Query (SRTQRY) or Work With Queries (WRKQRY) command for each application library (if more than one app environment).

2. Create a CL program in each app's program library that will run the new command.

3. For all users that will be authorized to run queries, set this new command as the attention key program in their user profile (if attn key is not already used).

4. If the attention key is already used, you may have to allow *PARTIAL for LMTCPB in the profile for these users, but first you will need to do a thorough scan of authorities to sensitive commands like PWRDWNSYS, ENDSBS, DLTLIB, etc. and properly secure them to minimize exposure.

5. Create an authorization list for this new duplicate STRQRY command that includes all of the users allowed to run queries; NOTE: if there are a lot of users, this would be easier to manage if you create a group profile just for query users, such as APP01QUERY, APP02QRY, etc. -- within each application, each user can then have this group profile as a supplemental group and the authorization list would simply be the 'APP01QUERY' group profile set to *USE and *PUBLIC set to *EXCLUDE.

6. Make sure that the library with the new STRQRY command is higher in the library list than the system STRQRY command (in library QSYS); to do this, it may require that the new command be placed in a separate library that can be properly positioned above QSYS by a job description or the attention key command CL itself.

7. Make sure that there are no other job descriptions or job submission steps within your application that could override (EDTLIBL, CHGLIBL, ADDLIBLE, etc.) the library list.

8. Once tested and verified, take away Command Line access from your app users via the LMTCPB parameter in their profile.

9. Change the *PUBLIC authority on the QSYS/STRQRY command to *EXCLUDE; the IT users can still have access to the original command either via their *ALLOBJ authority or by creating an authorization list that includes their individual profiles (or a group profile that they have in common, like QPGMR).

10. Steve M's tip of the decade: Using authorization lists makes everything easier to manage!


Dig Deeper on Performance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close