CHKLMTCPB CHECK LIMITED CAPABILITY TAASECD |
The Check limited capability command checks the user profiles on the
system to determine the users specified as both USRCLS(*USER) and
LMTCPB(*NO). An option also exists to force all *USER types to
LMTCPB(*YES). CHKLMTCPB is designed to assist in ensuring proper
security. A spooled file is output.
Because the command must retrieve information from all profiles, only
a user with *ALLOBJ and *SECADM authority can use the command.
A typical command is entered as:
CHKLMTCPB
The USRPRF spooled file output would be output.
In many environments, a *USER type profile is displayed application
menus only and should not be able to enter any commands. Unless
special action is taken, there are normally two places where the user
can perform general system functions:
** Signon menu. If the system menu is not replaced, the user who
is LMTCPB(*NO) can request a different initial program or
different menu option by using entries on the Signon display.
Specifying LMTCPB(*YES) prevents any of these entries from
being made on the signon display.
** Command lines on system menus. If a system display such as
WRKOUTQ is displayed for the end user to allow control of
spooled files, a command line exists. A LMTCPB(*NO) user can
enter any authorized command.
If LMTCPB(*YES) is specified, the user can only enter
following commands by default such as:
DSPMSG
SNDMSG
DSPJOB
DSPJOBLOG
SIGNOFF
For a complete list of commands that can be entered, see the
TAA Tool PRTLMTCMD.
You can prevent the entries of these commands for LMTCPB users
by specifying ALWLMTUSR(*NO) on the CHGCMD command. You can
also allow other commands to be entered by specifying
ALWLMTUSR(*YES).
For example, the following command would prevent users who are
limited from being able to use SIGNOFF on a command line.
CHGCMD CMD(SIGNOFF) ALWLMTUSR(*NO)
Note that limiting the SIGNOFF command from being entered on a
command line does not prevent a user from selecting SIGNOFF as
a menu option such as on the System Request menu. To control
this, you must make the command private.
Any user commands that are created default to ALWLMTUSR(*NO).
The CHKLMTCPB command simplifies the task of managing users who
should be controlled.
Command parameters *CMD
------------------
TYPE The type of option. The default is *CHECK. *CHECK
reports back which of the *USER types are not
limited. *FORCE ensures that all *USER types are
limited.
System profiles (with the exception of QUSER) are
bypassed. A system profile is assumed to be any
profile beginning with the letter 'Q'. If you have
user profiles beginning with 'Q', you must manually
make the change.
Prerequisites
-------------
The following TAA Tools must be on your system:
EDTVAR Edit variable
PRINT Print
SNDCOMPMSG Send completion message
SNDESCMSG Send escape message
SNDSTSMSG Send status message
Restrictions
------------
None
Implementation
--------------
None, the tool is ready to use.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
CHKLMTCPB *CMD TAASECD QATTCMD
TAASECDC *PGM CLP TAASECDC QATTCL
|
Added to TAA Productivity tools April 1, 1995