SecureMyi.com Security and Systems Management Newsletter for the IBM i                 July 10, 2013 - Vol 3, Issue 32
Security Services from SecureMyi.com

Security Study

Security? See how SKYVIEW PARTNERS can help!

Feature Article

Smart Security for Sensitive IBM i CL Commands

By Dan Riehl - SecureMyi.com

Several IBM supplied Control Language commands have restrictions on their use. Commands like CRTUSRPRF(Create User Profile) and CHGUSRPRF(Change User Profile) require that the user have, at the minimum, *SECADM special authority. Other commands like PWRDWNSYS(Power Down System) and ENDSBS(End Subsystem) can only be used by users with *JOBCTL special authority.

Most commands, however, are available for use by any user on the system. Commands can be run directly from the command line, executed from within a program or batch job stream, or can be run through network interfaces like RMTCMD(Remote Command), FTP and ODBC/JDBC(using the QCMDEXC program).

Each command has an attribute that specifies whether limited capabilities users can enter the command at the command line. A user is identified as 'limited' if their user profile specifies LMTCPB(*YES). There are only a handful of commands that allow 'limited' users to run the command at a command line. These are commands like DSPJOB(Display Job) and DSPMSG(Display Messages). We consider 'limited capability' users as being restricted from using the command line. In reality, they CAN enter commands at a command line, as long as the particular command allows for it.

For more information, see our Youtube Video on Misconceptions about the Limited Capabilities attribute on a User Profile.

Since there are so many different methods to run commands, and so many different types of user capabilities and special authorities, it is important to tightly control some of the more powerful and sensitive commands.

On most systems, a majority of the users have *JOBCTL special authority. I have heard countless reasons for this configuration debacle, which I will not rehash here. The point here is that the powerful commands available to these users must be controlled.

The ability to use commands like PWRDWNSYS, ENDSBS and ENDSYS should not be available to every user with *JOBCTL, but should be restricted to a very small group of users.

Read More

In This Issue


Featured Article - Securing CL Commands

Security Shorts - Changing Journal Options

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit RZKH.de

Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    The PowerTech Group

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1


Open Security Foundation - DataLoss DB

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter

Follow SecureMyi on YouTube






Security study

IBM i Security Calendar of Events



Live Security Related Webcasts and Training for IBM i

July Events

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 10-11
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i Security and Vulnerability Assessment Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 15-18
Dan Riehl presents this 3.5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Get your FTP Server into Compliance
Live Webcast - Presented by Linoma Software
Thursday, July 18 Noon CDT
More Information and Register to Attend

Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 23-26
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

An Introduction to PCI Compliance on IBM Power Systems
Live Webcast - Presented by PowerTech
Thursday, July 24 1:00pm CDT
More Information and Register to Attend

August Events

Live Hands-On - Expanded Control Language Programming Workshop
with Dan Riehl

Full Length Training Workshop - August 19-23
Dan Riehl, Co-Author of the textbook Control Language Programming for the IBM i
presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

September Events

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Full Length Training Workshop - September 9-13
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

COMMON 2013 Fall Conference and Expo
Three Day Conference and Expo - September 9-11
Renaissance Grand St. Louis St. Louis, Missouri
More Information and Register to Attend


Security? See how SKYVIEW PARTNERS can help!





Security Study

Security Shorts

Changing Journaling Options on the Fly

By Dan Riehl - SecureMyi.com

A while back, I was confronted with a task in which I needed to change the journaling characteristics of a physical file. The file was being journaled with *AFTER images only, and I needed to change the journaling option to capture *BOTH the before and after images of database record changes.

I suspected I would need to end journaling of the file and then start journaling (STRJRNPF) with the *BOTH (before and after images) option. I didn't know all the ramifications that the stop and start would have, but I knew that I wanted to avoid it if possible. I was unaware of any way to do this. So I needed to check whether there was a way to change the journaling characteristics without ending the journaling of the file on a live system.

I used the CL command GO CMDJRN to review commands that relate to journaling, and I found the Change Journaled Object (CHGJRNOBJ) command. I prompted the command (F4) and pressed F1 to review the command help text. It turns out that the command was exactly what I was looking for. The CHGJRNOBJ command was introduced by IBM back in OS/400 V5R3.

Here's a snippet from the command online help text from IBM.

The Change Journaled Object (CHGJRNOBJ) command changes the journaling attributes of a journaled object without the need to end and restart journaling for the object.

The command can be used to change the Images (IMAGES) value for a database file (*FILE) or a data area (*DTAARA) object without the need to end and restart journaling for the object.

The command can be used to change the Omit journal entry (OMTJRNE) value for a database file (*FILE), an integrated file system stream file (*STMF) or directory (*DIR) object without the need to end and restart journaling for the object.

Only one journaling attribute can be changed at a time.


Because I needed to change the IMAGES attribute from *AFTER to *BOTH, I used the command:

CHGJRNOBJ OBJ((MYLIB/MYFILE *FILE)) ATR(*IMAGES) IMAGES(*BOTH)

Then, in order to omit the Open and Close journal entries I used the command:

CHGJRNOBJ OBJ((MYLIB/MYFILE *FILE)) ATR(*OMTJRNE) OMTJRNE(*OPNCLOSYN)

As the help text says, you can change only one attribute per execution of the command--thus the need to run the command twice, once for each attribute to be changed.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming


Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop


Live Online Workshops - from The 400 School


Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017