This is the list from the IBM V5R3 Security Reference: Sign off (SIGNOFF) Send message (SNDMSG) Display messages (DSPMSG) Display job (DSPJOB) Display job log (DSPJOBLOG) Start PC Organizer (STRPCO) Work with Messages (WRKMSG) The list from IBM is incomplete. As John Earl notes elsewhere, WRKENVVAR is available. I checked out V5R2, V5R3, and V5R4 systems. These 8 commands are available in a number of libraries, including libraries for previous version or national language support. The list of commands shipped by IBM with ALWLMTUSR(*YES) does not include CHGPWD. Limited capabilities is part of the outdated model of interactive processing that IBM is trying to move us out of. It's a very restrictive tool with limited usefulness. Commands which are ALWLMTUSR(*NO) can still be run within a program if the user with LMTCPB(*YES) has the proper authority. LMTCPB(*YES) minimizes command line usage. Not having a command line available on your user screens gets rid of this problem completely. Another use of LMTCPB(*YES) is the ability to stop users from changing signon information. To me, this is the best use of this function. My experience is that limit capabilities is too broad. Even in a menu-security environment, some users need more flexibility and authority. That usually requires copies/proxies of IBM commands with a subset of parameters available and object authority. Limited capabilities doesn't prevent a user from really screwing up an application. A capabilities-limited user can perform a system request and stop a running program. Menu options available on the User Tasks menu allow for critical spooled file entries to be deleted. Like John Earl, I work for a vendor that has tools to help you research and maintain your application security. Phil Ashe NetIQ (A division of Attachmate) 1233 West Loop South, Suite 1800 | Houston, TX 77027 USA 713.418.5279 phone phil.ashe@xxxxxxxxxxxxxx www.netiq.com -----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Jones, John (US) Sent: Tuesday, August 29, 2006 3:59 PM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] Commands for Limited Users WRKSPLF WRKUSRJOB maybe SIGNOFF CHGPWD Those are what come to mind. John A. Jones, CISSP Americas Information Security Officer Jones Lang LaSalle, Inc. V: +1-630-455-2787 F: +1-312-601-1782 john.jones@xxxxxxxxxx -----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Turnidge, Dave Sent: Tuesday, August 29, 2006 1:19 PM To: Security Administration on the AS400 / iSeries Subject: [Security400] Commands for Limited Users I am trying to get a handle on security on our systems, and have now arrived at "Commands for Limited Users." I have an Excel spreadsheet which has all the commands in this category on our systems. First, I would like to know what are the commands for limited users that come with the system as shipped from IBM. Second, do you agree with that list? I.e., should there be ANY commands available to limited users? I await your reply. Thank you, Dave _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400. This email is for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the author's prior permission. We have taken precautions to minimize the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. The information contained in this communication may be confidential and may be subject to the attorney-client privilege. If you are the intended recipient and you do not wish to receive similar electronic messages from us in future then please respond to the sender to this effect. _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.