Control Command Line Access
Here is a brief guide on how to control command line access for IBM i users:
- Create a user profile: The first step is to create a user profile for each user who needs access to the IBM i command line. You can use the
CRTUSRPRFcommand to create a new user profile.
- Assign authorities: Once you have created the user profile, you need to assign the appropriate authorities to the user. You can use the
CHGUSRPRFcommand to assign authorities to the user profile.
- Create a group profile: You can create a group profile to group together users who require similar authorities. You can use the
CRTGRPcommand to create a new group profile.
- Assign group authorities: Once you have created the group profile, you can assign authorities to the group profile using the
- Restrict command line access: You can restrict command line access for IBM i users by using the
CHGAUTcommand. This command allows you to restrict access to specific commands or command groups.
- Monitor command line access: You can monitor command line access for IBM i users by using the
DSPAUDJRNEcommand. This command allows you to view a log of all command line activity on the system.
IBM i User Limited Capability Feature
The Limit Capabilities feature in IBM i allows you to control the ability of a user to run CL commands at a command line by specifying the
LMTCPB (Limit Capabilities) attribute of the user profile. When you create a user profile, you can set the
LMTCPB attribute to
*YES to limit the user’s ability to enter commands and to override the initial program, initial menu, current library, and attention-key-handling program specified in the user profile.
A user with limited capabilities can only run commands that are defined as being allowed to be used by limited users.
The following commands are shipped by IBM with
- Sign off (
- Display job (
- Display job log (
- Start PC Organizer (
- Work with Messages (
Limit Capabilities field in the user profile and the
ALWLMTUSR parameter on commands apply only to commands that are run from the command line, the Command Entry display, FTP, REXEC, using the QCAPCMD API, or an option from a command grouping menu.
Users are not restricted to perform the following actions:
- Run commands in CL programs that are running a command as a result of taking an option from a menu
- Run remote commands through applications
You can allow the limited capability user to run additional commands, or remove some of these commands from the list, by changing the
ALWLMTUSR parameter for a command. Use the
Change Command (CHGCMD) command.
NOTE: If you create your own commands, you can specify the
ALWLMTUSRparameter on the
Create Command (CRTCMD)command.
I hope this helps!