Control Command Line Access
Here is a brief guide on how to control command line access for IBM i users:
- Create a user profile: The first step is to create a user profile for each user who needs access to the IBM i command line. You can use the
CRTUSRPRF
command to create a new user profile. - Assign authorities: Once you have created the user profile, you need to assign the appropriate authorities to the user. You can use the
CHGUSRPRF
command to assign authorities to the user profile. - Create a group profile: You can create a group profile to group together users who require similar authorities. You can use the
CRTGRP
command to create a new group profile. - Assign group authorities: Once you have created the group profile, you can assign authorities to the group profile using the
CHGGRPA
command. - Restrict command line access: You can restrict command line access for IBM i users by using the
CHGAUT
command. This command allows you to restrict access to specific commands or command groups. - Monitor command line access: You can monitor command line access for IBM i users by using the
DSPAUDJRNE
command. This command allows you to view a log of all command line activity on the system.
IBM i User Limited Capability Feature
The Limit Capabilities feature in IBM i allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB
(Limit Capabilities) attribute of the user profile. When you create a user profile, you can set the LMTCPB
attribute to *YES
to limit the user’s ability to enter commands and to override the initial program, initial menu, current library, and attention-key-handling program specified in the user profile.
A user with limited capabilities can only run commands that are defined as being allowed to be used by limited users.
The following commands are shipped by IBM with ALWLMTUSR (*YES)
:
- Sign off (
SIGNOFF
) - Display job (
DSPJOB
) - Display job log (
DSPJOBLOG
) - Start PC Organizer (
STRPCO
) - Work with Messages (
WRKMSG
)
The Limit Capabilities
field in the user profile and the ALWLMTUSR
parameter on commands apply only to commands that are run from the command line, the Command Entry display, FTP, REXEC, using the QCAPCMD API, or an option from a command grouping menu.
Users are not restricted to perform the following actions:
- Run commands in CL programs that are running a command as a result of taking an option from a menu
- Run remote commands through applications
You can allow the limited capability user to run additional commands, or remove some of these commands from the list, by changing the ALWLMTUSR
parameter for a command. Use the Change Command (CHGCMD)
command.
NOTE: If you create your own commands, you can specify the
ALWLMTUSR
parameter on theCreate Command (CRTCMD)
command.
I hope this helps!