Restrict Access to the IBM i System Request Menu

  • Home
  • /
  • Blog
  • /
  • Restrict Access to the IBM i System Request Menu

April 22, 2025

Users can utilize the system request function to pause the job access the System Request Menu. This menu enables users to send and view messages, switch to a secondary, terminate the current job.

However, this poses a potential security risk since the default public authority for the Request Menu is set to *USE when the system is shipped

The most straightforward method to prevent users from accessing this menu is to limit authority to the panel group QGMNSYSR.

To restrict specific users from accessing the System Request Menu, assign *EXCLUDE to those users.

GRTOBJAUT OBJ(QSYS/QGMNSYSR) OBJTYPE(*PNLGRP) USER(username) AUT(*EXCLUDE)

To restrict access to the System Request Menu for most, revoke public authority and assignUSE authority exclusively to specific users.

RVKOBJAUT OBJ(QSYS/QGMNSYSR) OBJTYPE(*PNLGRP) USER(*PUBLIC) AUT(*ALL)

GRTOBJAUT OBJ(QSYS/QGMNSYSR) OBJTYPE(*PNLGRP) USER(username) AUT(*USE)

Recommendation use a USER GROUP for the username and simply add every user to that group to grant access.

Prevent only some menu options

You can prevent access to specific menu options by revoking access to the underlying commands behind those menu options.

Options and commands for the system request menu

OptionCommand
1Transfer Secondary Job (TFRSECJOB)
2End Request (ENDRQS)
3Display Job (DSPJOB)
4Display Message (DSPMSG)
5Send Message (SNDMSG)
6Display Message (DSPMSG)
7Display Workstation User (DSPWSUSR)
10Start System Request at Previous System (TFRPASTHR). (See note below.)
11Transfer to previous system (TFRPASTHR). (See note below.)
12Display 3270 emulation options (See note below.)
13Start System Request at Home System (TFRPASTHR). (See note below.)
14Transfer to Home System (TFRPASTHR). (See note below.)
15Transfer to End System (TFRPASTHR). (See note below.)
80Disconnect Job (DSCJOB)
90Sign-Off (SIGNOFF)

For example, if you wanted to prevent access to SYSREQ(1) then you can just revoke access to the TFRSECJOB command:

RVKOBJAUT OBJ(TFRSECJOB) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*ALL) 

GRTOBJAUT OBJ(TFRSECJOB) OBJTYPE(*CMD) USER(username) AUT(*USE)

Easy Peasy!

Share0
Tweet0
Share0
Author Image
Share0
Tweet0
Share0

NickLitten

IBM i Software Developer, Digital Dad, AS400 Anarchist, RPG Modernizer, Shameless Trekkie, Belligerent Nerd, Englishman Abroad and Passionate Eater of Cheese and Biscuits.

Nick Litten Dot Com is a mixture of blog posts that can be sometimes serious, frequently playful and probably down-right pointless all in the space of a day.

Enjoy your stay, feel free to comment and remember: If at first you don't succeed then skydiving probably isn't a hobby you should look into.

Nick Litten

related posts:

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe NOW
7-day free trial

Take This Course with ALL ACCESS

Unlock your Learning Potential with instant access to every course and all new courses as they are released.
 [ For Serious Software Developers only ]
get started

Online Learning for IBM i Software Technology Professionals

“The more that you read, the more things you will know. The more that you learn, the more places you’ll go.” – Dr. Seuss

 Show Me The Courses
>