How to control command line access for IBM i Users

  • Home
  • /
  • Blog
  • /
  • How to control command line access for IBM i Users

September 12, 2023

How to control command line access for IBM i Users

By NickLitten

September 12, 2023

IBM i, authority

Control Command Line Access

Here is a brief guide on how to control command line access for IBM i users:

  1. Create a user profile: The first step is to create a user profile for each user who needs access to the IBM i command line. You can use the CRTUSRPRF command to create a new user profile.
  2. Assign authorities: Once you have created the user profile, you need to assign the appropriate authorities to the user. You can use the CHGUSRPRF command to assign authorities to the user profile.
  3. Create a group profile: You can create a group profile to group together users who require similar authorities. You can use the CRTGRP command to create a new group profile.
  4. Assign group authorities: Once you have created the group profile, you can assign authorities to the group profile using the CHGGRPA command.
  5. Restrict command line access: You can restrict command line access for IBM i users by using the CHGAUT command. This command allows you to restrict access to specific commands or command groups.
  6. Monitor command line access: You can monitor command line access for IBM i users by using the DSPAUDJRNE command. This command allows you to view a log of all command line activity on the system.

IBM i User Limited Capability Feature

The Limit Capabilities feature in IBM i allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB (Limit Capabilities) attribute of the user profile. When you create a user profile, you can set the LMTCPB attribute to *YES to limit the user’s ability to enter commands and to override the initial program, initial menu, current library, and attention-key-handling program specified in the user profile.

How to control command line access for IBM i Users

A user with limited capabilities can only run commands that are defined as being allowed to be used by limited users.

The following commands are shipped by IBM with ALWLMTUSR (*YES):

  • Sign off (SIGNOFF)
  • Display job (DSPJOB)
  • Display job log (DSPJOBLOG)
  • Start PC Organizer (STRPCO)
  • Work with Messages (WRKMSG)

The Limit Capabilities field in the user profile and the ALWLMTUSR parameter on commands apply only to commands that are run from the command line, the Command Entry display, FTP, REXEC, using the QCAPCMD API, or an option from a command grouping menu.

Users are not restricted to perform the following actions:

  • Run commands in CL programs that are running a command as a result of taking an option from a menu
  • Run remote commands through applications

You can allow the limited capability user to run additional commands, or remove some of these commands from the list, by changing the ALWLMTUSR parameter for a command. Use the Change Command (CHGCMD) command.

NOTE: If you create your own commands, you can specify the ALWLMTUSR parameter on the Create Command (CRTCMD) command.

I hope this helps!

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Join the IBM i Community for FREE Presentations, Lessons, Hints and Tips

>