Profile Assistance Level security issue

We had a User "Cancel" a production job (not theirs) by displaying the
QSYSOPR message queue and replying to an outstanding message.  The User
doesn't have authority to anything but to their own jobs and menus.  On
their menu was the option to "DSPMSG".  Once there, they can get to all of
QSYSOPR messages.  We found that if a typical *user can do this using the
IBM function, we have an open security issue.  Our default "Assistance level
is *intermediate".  I am not sure how to close the security hole.  Finding
how to turn off the Assistance level so a *user can't change it; or;
changing the *public authority on QSYSOPR.  We have programs which write to
QSYSOPR.

I tested this using a vanilla *user as follows:

Create a user profile as *user, Initial menu MAIN, limit capabilities to
*yes, make assistance level *Intermediate, no group profile, no special
authorities, QDFTJOBD job description and the rest system defaults.

Sign on as this user
Displayed is the main menu
Take option 1     User Tasks
Take option 2     Display Messages
Hit F24 for more keys
Hit F21    Change assistance level to 1 (basic)  This also changes the
command from DSPMSG to WRKMSG
Note:  Function keys at the bottom of the screen now show "F6 Display System
Operator Messages"
Press F6
Enter a 5 on any outstanding message and reply to it.

Voila..........Canceled

I have also found that the QSYSOPR message queue is occasionally cleared.  I
could never find who cleared it.  Now I think I know how it was done.

Any help would be greatly appreciated.

Thanks



Thomas A. Law Jr.

Senior Systems Programmer
Americas - MIS Tech Support
NACCO Materials Handling Group
1010 E. Fairchild St.
Danville, IL. 61832
Phone:  217-443-7622
Fax:    217-443-7657
Work E-mail:  <ACTLAW@NMHG.COM>
Home E-mail: <TALAW@soltec.net>