This is the list from the IBM V5R3 Security Reference: 
Sign off (SIGNOFF) 
Send message (SNDMSG) 
Display messages (DSPMSG) 
Display job (DSPJOB) 
Display job log (DSPJOBLOG) 
Start PC Organizer (STRPCO) 
Work with Messages (WRKMSG) 

The list from IBM is incomplete. As John Earl notes elsewhere, WRKENVVAR
is available. 

I checked out V5R2, V5R3, and V5R4 systems. These 8 commands are
available in a number of libraries, including libraries for previous
version or national language support. 

The list of commands shipped by IBM with ALWLMTUSR(*YES) does not
include CHGPWD. 

Limited capabilities is part of the outdated model of interactive
processing that IBM is trying to move us out of. It's a very restrictive
tool with limited usefulness.

Commands which are ALWLMTUSR(*NO) can still be run within a program if
the user with LMTCPB(*YES) has the proper authority. LMTCPB(*YES)
minimizes command line usage. Not having a command line available on
your user screens gets rid of this problem completely. 

Another use of LMTCPB(*YES) is the ability to stop users from changing
signon information. To me, this is the best use of this function. 

My experience is that limit capabilities is too broad. Even in a
menu-security environment, some users need more flexibility and
authority. That usually requires copies/proxies of IBM commands with a
subset of parameters available and object authority.

Limited capabilities doesn't prevent a user from really screwing up an
application. A capabilities-limited user can perform a system request
and stop a running program. Menu options available on the User Tasks
menu allow for critical spooled file entries to be deleted. 

Like John Earl, I work for a vendor that has tools to help you research
and maintain your application security. 

Phil Ashe
NetIQ (A division of Attachmate)
1233 West Loop South, Suite 1800 | Houston, TX 77027 USA
713.418.5279 phone 
phil.ashe@xxxxxxxxxxxxxx 
www.netiq.com 

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Jones, John (US)
Sent: Tuesday, August 29, 2006 3:59 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

WRKSPLF
WRKUSRJOB maybe
SIGNOFF
CHGPWD 

Those are what come to mind.

John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787 F: +1-312-601-1782
john.jones@xxxxxxxxxx

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Turnidge, Dave
Sent: Tuesday, August 29, 2006 1:19 PM
To: Security Administration on the AS400 / iSeries
Subject: [Security400] Commands for Limited Users

I am trying to get a handle on security on our systems, and have now
arrived at "Commands for Limited Users." I have an Excel spreadsheet
which has all the commands in this category on our systems.

First, I would like to know what are the commands for limited users that
come with the system as shipped from IBM. Second, do you agree with that
list? I.e., should there be ANY commands available to limited users?

I await your reply.

Thank you,

Dave

_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list To post a message email: Security400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/security400.
 

This email is for the use of the intended recipient(s) only.  If you
have received this email in error, please notify the sender immediately
and then delete it.  If you are not the intended recipient, you must not
keep, use, disclose, copy or distribute this email without the author's
prior permission.  We have taken precautions to minimize the risk of
transmitting software viruses, but we advise you to carry out your own
virus checks on any attachment to this message.  We cannot accept
liability for any loss or damage caused by software viruses.  The
information contained in this communication may be confidential and may
be subject to the attorney-client privilege. If you are the intended
recipient and you do not wish to receive similar electronic messages
from us in future then please respond to the sender to this effect.

_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list To post a message email: Security400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/security400.



This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].