Published on System iNetwork (http://systeminetwork.com)
Can a Limited User Run Commands from a Command Line?
By tzura
Created Jan 29 2007 - 08:00

By:
Dan Riehl [1]

When you create a user profile on the System i, one of the profile attributes that you can assign is called limited capabilities, LMTCPB. For end users, this attribute is typically set to the value *YES; for technical staff, it's often set to *NO.

CHGUSRPRF USRPRF(ENDUSER) LMTCPB(*YES)

Many people believe that the setting LMTCPB(*YES) restricts users from running any CL commands when presented with a command line. Some believe it also prevents users from running CL commands at all (unless the commands are contained in a CL program). Both of these perceptions are incorrect.

If you specify LMTCPB(*YES) for a user profile, you restrict the user from entering MOST commands at a command line.

Each CL command object has the attribute ALWLMTUSR (Allow Limited Users) that determines if the command can be used by a user with limited capabilities. If the value is set to *YES, the command can be used by any user with limited capabilities.

Some commands ship from IBM with the ALWLMTUSR(*YES) attribute set, and therefore CAN be ran by a limited capability user. Here are some commands with that setting:

If you decide that you want your limited capability users to be able to run additional commands at a command line, you can add commands to the above list by changing the command definition itself. For example, if you want your limited capability users to be able to run the WRKWTR (Work with Writers) command from a command line, use the command CHGCMD (Change Command):

CHGCMD CMD(WRKWTR) ALWLMTUSR(*YES)

Remeber that the limited capabilities attribute is simply a command line restriction when the user is constrained to a green screen 5250 session (e.g., TELNET). Because most users today run a Windows workstation with TCP/IP utilities and iSeries Access installed, TELNET is only one access avenue to i5/OS data and programs.

Desktop tools such as ODBC, DDM, File Transfer, DRDA, and FTP are available on almost all end-user desktops. Many of these desktop tools can be used to send commands to OS/400. And almost all of these disregard the Limit Capabilities attribute in the user profile.

Have you ever tried the command RMTCMD CRTLIB HACKER from a DOS prompt?

Copyright © Penton Media
Source URL: http://systeminetwork.com/article/can-limited-user-run-commands-command-line

Links:
[1] http://systeminetwork.com/author/dan-riehl