Discussion:
User Authority - Commands
(too old to reply)
Gilbert Noetzel
2005-07-27 12:57:26 UTC
Permalink
I need a quick help - refresher here.

I need to know if there is a way for limiting a User to initiate commands on the Command Line in the AS/400?

I am responsble for the integrity of the system data, and so far, I have tested the "user id" with various commands and I was
surprise that I am able to Create / Delete / Change Data files in the Company's Production Libraries.

I would greatly appreciate the fine points of establishing a more "strict" controls of User Authority.

I've search this newsgroup and there are not topic regarding to limiting user authority and so forth.

Thank you in adavance for those who help

Gil
Thad Rizzi
2005-07-27 13:38:19 UTC
Permalink
Check out the Limit Capabilities (LMTCPB) parameter on the CHGUSRPRF
command.

Thad Rizzi
Gilbert Noetzel
2005-07-27 13:45:06 UTC
Permalink
Thad -

The LMTCPB is great, when I put *YES, it does blocks all command line commands. However, I do want the user to initiate command WRKQRY.

Thanks

Gil
Post by Thad Rizzi
Check out the Limit Capabilities (LMTCPB) parameter on the CHGUSRPRF
command.
Thad Rizzi
James Perkins
2005-07-27 14:04:00 UTC
Permalink
Post by Gilbert Noetzel
Thad -
The LMTCPB is great, when I put *YES, it does blocks all command line
commands. However, I do want the user to initiate command WRKQRY.
Thanks
Gil
Post by Thad Rizzi
Check out the Limit Capabilities (LMTCPB) parameter on the CHGUSRPRF
command. Thad Rizzi
You could always limit the capabilities, and make an alternate system
library where you put altered system commands. Then change any commands,
like wrkqry, to allow users with limited capabilities to use these commands.

James R. Perkins
Thad Rizzi
2005-07-27 16:42:37 UTC
Permalink
You could create a menu with commands that you want to allow. I
believe that would work.

HTH,

Thad Rizzi
Mark
2005-07-27 18:09:23 UTC
Permalink
Post by Gilbert Noetzel
The LMTCPB is great, when I put *YES, it does blocks all command line commands. However, I do want the user to initiate command WRKQRY.
Gilbert,

You might also consider using the ALWLMTUSR parameter on CHGCMD.

...you can use this to allow users with LMTCPB(*YES) to run selected commands from the
command line.

--
Mark
Gilbert Noetzel
2005-07-27 20:58:53 UTC
Permalink
Mark -

Excellent! ! ! Great Tip...Whew! I was thumbing through all those authority commands and I was no where near Mark's suggestions!

Thank you Mark...you made my day (not Clint Eastwood)

Gil
Post by Mark
Post by Gilbert Noetzel
The LMTCPB is great, when I put *YES, it does blocks all command line commands. However, I do want the user to initiate command WRKQRY.
Gilbert,
You might also consider using the ALWLMTUSR parameter on CHGCMD.
...you can use this to allow users with LMTCPB(*YES) to run selected commands from the
command line.
--
Mark
j***@yahoo.co.nz
2005-07-27 20:41:00 UTC
Permalink
Post by Gilbert Noetzel
I need a quick help - refresher here.
I need to know if there is a way for limiting a User to initiate commands on
the Command Line in the AS/400?
As mentioned, the LMTCPB setting will help here but it is not a total
solution. If for instance any users can display a system menu, LMTCPB
does NOT stop them executing the commands in those menus.
Post by Gilbert Noetzel
I am responsble for the integrity of the system data, and so far, I have
tested the "user id" with various commands and I was surprised that I am able
to Create / Delete / Change Data files in the Company's Production Libraries.
I would greatly appreciate the fine points of establishing a more "strict"
controls of User Authority.
For this, you should look at the security reference manual and you
should be looking at better object level authority to prevent unwanted
changes. Also, have you considered other connection mechanisms apart
from a 5250 session? Can they access the data via FTP, ODBC etc etc?
If so, then the LMTCPB setting on the user profile won't be sufficient
to stop them modifying the data. To prevent this kind of manipulation,
you'll need better object level security and/or some exit programs.
Gilbert Noetzel
2005-07-27 21:00:14 UTC
Permalink
Jsev98 -

Thank you for your input, but no we do not initiate any FTP or ODBC etc... We are straight Green Screen interface here...

Gil
Post by j***@yahoo.co.nz
Post by Gilbert Noetzel
I need a quick help - refresher here.
I need to know if there is a way for limiting a User to initiate commands on
the Command Line in the AS/400?
As mentioned, the LMTCPB setting will help here but it is not a total
solution. If for instance any users can display a system menu, LMTCPB
does NOT stop them executing the commands in those menus.
Post by Gilbert Noetzel
I am responsble for the integrity of the system data, and so far, I have
tested the "user id" with various commands and I was surprised that I am able
to Create / Delete / Change Data files in the Company's Production Libraries.
I would greatly appreciate the fine points of establishing a more "strict"
controls of User Authority.
For this, you should look at the security reference manual and you
should be looking at better object level authority to prevent unwanted
changes. Also, have you considered other connection mechanisms apart
from a 5250 session? Can they access the data via FTP, ODBC etc etc?
If so, then the LMTCPB setting on the user profile won't be sufficient
to stop them modifying the data. To prevent this kind of manipulation,
you'll need better object level security and/or some exit programs.
Continue reading on narkive:
Loading...