Kisco Systems

IBM i Security Tips

Home : Blog : Command Line Security - Part 1

Command Line Security - Part 1

By Rich Loeber

When a user on your IBM i system signs on to a terminal session, they will be presented with a command line. Given enough security permissions, a user can do just about anything from that command line, if they are inquisitive enough. This article will discuss several options for controlling what a user can, and more importantly what they cannot do, when they are presented with a command line.

Controlling use of the command line begins with the way your user profile is set up. Specifically, the option to "Limit capabilities" (LMTCPB). This will define what, if any, controls the system will impose over use of the command line. Unfortunately, many systems just use the default "*NO" setting for this value and that leaves the command line wide open for use (and abuse).

There are three possibilities for the LMTCPB parameter in the user profile:

  • *NO - means there are NO limits on the user of the command line. In addition to processing commands from the command line, the user can also make certain changes to their user profile that you might not want them making.
  • *PARTIAL - this is a little better than the *NO option and it limits certain actions that the user can take at signon and from the command line, but they can still run commands.
  • *YES - this is the best option for most of your users. The user cannot specify different parameters for menu and library from the signon screen and they cannot change the setup for their user profile. The user also is not permitted to run any IBM i OS commands from the command line.

"But," your user says, "I need to be able to check my output reports using the WRKSPLF or WRKOUTQ command!" This is a common issue in some shops, but setting the LMTCPB for the user profile to *NO or *PARTIAL is not the answer. If a user needs to use a very limited set of IBM i OS commands, the best way to solve that issue is by creating menu options for them to use. They can continue to run the commands from the menu option with no problem.

One thing to also be careful about is the starting menu that you present to your user. Again, the default that comes from IBM is to give your users access to the IBM i OS "MAIN" menu in QSYS. This menu can easily lead an inquisitive user to options and capabilities that you probably don't want them seeing or using. If you follow the menu options, you can easily get into areas where a user just does not belong. So, make sure that you specify a starting menu that strictly limits where the user can go. Spend some time testing your menu structures to make sure that they do not lead a user to capabilities that they should not be granted.

Next time around, in Part 2 of this article, I'll take a look at how to effectively limit how users use of commands in the IBM i OS when you absolutely have to let users have access to the command line.

If you have any questions about this topic, you can reach me at rich at, I'll try to answer your questions. All email messages will be answered.