One of the primary concepts of system security is that you do not want to share a user account list with everyone that requests it. The account list must be protected to avoid providing a huge advantage to the would-be hacker. Brute force attacks, or even simple default password attacks against the account list will often result in a successful breach of at least one account on the list.

When your system ships from IBM, they provide a very nice User Enumeration tool. One might think the tool would be the WRKUSRPRF(Work with User Profiles) command. But, no. That command only shows you the user accounts that you are authorized to see, which should typically contain 3 IBM supplied accounts.

The User enumeration tool is found in the Operational Assistant Menu, as Option 4 (Send Messages). When option 4 is selected, you can select the user to which you want to send the message. If you press F4=Prompt, you will be shown a list of all of the users on the system, and the textual description associated with the user account.

Even if your users have no command line access(LMTCPB(*YES), the default Attention Key handling program shipped by IBM is the Operational Assistant Menu.

You can access the same menu using the command GO ASSIST. You may then select Option 4 (Send Messages), and get a full user list.

The message sending program is named QEZSNDMG and is one of the IBM Operational Assistant APIs, also known as the EZ APIs. You can go to a command line and directly call the message sending program using the command CALL QEZSNDMG.

While the message sender function is very nice, it presents a security vulnerability that should be addressed, if possible.

I suggest that you restrict access to QEZSNDMG to only Operations or Administrative staff. You can do this by setting the authority on the program QSYS/QEZSNDMG to *PUBLIC AUT(*EXCLUDE), and assigning *USE authority to those users that should be able to use the command.

View the Operational Assistant APIs manual (PDF)