OS/400 command security - IBM - AS/400

This comprises:

  • Limited capability checking
  • Resource checking of command program objects

These mechanisms can be used to prevent a user from controlling the running of a control region by restricting the use of the STRCICS and ENDCICS commands. The user can also be prevented from controlling the running of user shells by restricting the use of the STRCICSUSR and ENDCICSUSR commands. Related commands such as CRTCICSCBL and PRTCICSTRC should also be considered in this category.

Limited capability checking
A user’s profile may be set to indicate whether or not the user has limited capability. Any OS/400 command can have an attribute indicating whether or not it can be invoked by a limited-capability user. By this means, limited-capability users can be prevented from using certain commands.

If it is considered necessary to restrict further the use of certain commands, resource checking must be used.

Resource checking of command program objects
Object authority may be used to control the use of CICS-related OS/400 commands where the limited capability facility is insufficient. For example, suppose that the STRCICSUSR and CRTCICSCBL commands use limited capability to restrict general use. One user, however, needs the authority to run the STRCICSUSR command whilst being prevented from using the CRTCICSCBL command. In this instance, the user may be given object authority to the STRCICSUSR command object (STRCICSUSR object type *CMD in library QCICS) but not to the CRTCICSCBL command program object. Indeed, any user who does not need to issue any commands could be prevented from accessing all members of the QCICS library, but it must be considered that if a command is executed from within a program, the user must have authority to execute that command.

All rights reserved © 2020 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

IBM - AS/400 Topics