Dave, I'm reciting this from memory, so it may not be an exhaustive list, but if I recall correctly there were somewhere around 8 commands shipped with the operating system that are available to limited users. Let's see which ones I can remember, and then we'll see if others can chime in with any I may have missed. DSPJOB DSPJOBLOG DSPMSG SIGNOFF SNDMSG STRPCO WRKENVVAR WRKMSG Of these, SIGNOFF is virtually essential, and the three "DSP" and the SNDMSG command are relatively inconsequential risk (assuming you are doing appropriate tightening elsewhere, as you have said). STRPCO is risky, and probably completely unnecessary, and, absent a specific reason to leave them open, the WRKENVVAR and WRKMSG could afford to be restricted as well. This list only includes commands that are allowed by Limited Capability users as shipped from the factory. You may have more OS commands or application commands that have been opened to Limited Capability users as well. There is at least one commercial product (uh, why yes, that would be a PowerTech product :) ) that will show you this list quickly in a single report (and help you ensure that the list stays constant), but I am not aware of any automated facility in the OS that will track this parameter for you. HTH, jte -- John Earl | Chief Technology Officer The PowerTech Group 19426 68th Ave. S Seattle, WA 98032 (253) 872-7788 ext. 302 john.earl@xxxxxxxxxxxxx www.powertech.com Celebrating our 10th Anniversary Year! This email message and any attachments are intended only for the use of the intended recipients and may contain information that is privileged and confidential. If you are not the intended recipient, any dissemination, distribution, or copying is strictly prohibited. If you received this email message in error, please immediately notify the sender by replying to this email message, or by telephone, and delete the message from your email system. --
-----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Turnidge, Dave Sent: Tuesday, August 29, 2006 11:19 AM To: Security Administration on the AS400 / iSeries Subject: [Security400] Commands for Limited Users I am trying to get a handle on security on our systems, and have now arrived at "Commands for Limited Users." I have an Excel spreadsheet which has all the commands in this category on our systems. First, I would like to know what are the commands for limited users that come with the system as shipped from IBM. Second, do you agree with that list? I.e., should there be ANY commands available to limited users? I await your reply. Thank you, Dave _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.