SecureMyi.com Security and Systems Management Newsletter for the IBM i                             Issue Date:     October 15, 2018
Security Training from SecureMyi.com

Security Training from SecureMyi.com




Training from The 400 School



Training from The 400 School



Training from The 400 School

Feature Article

Just what is 'User Limited Capabilities'? Really??

By Dan Riehl - SecureMyi.com

In speaking to many security analysts over the years, it is obvious that there is a BIG Disconnect on what the "Limited Capabilities" attribute of the user profile actually does. In this article, I hope to dispel these potentially dangerous misconceptions.

In this October 15, 2018 issue of the SecureMyi Security Newsletter, the featured YouTube Video presents a video discussion of this important topic.

What IS Limited Capabilities?

System users can gain access to the IBM i shell command line through various IBM-supplied screens, including most IBM menus, the Work with Spooled Files (WRKSPLF) command display, the Work with User Jobs (WRKUSRJOB) command display, and numerous other commands and facilities.

Allowing users to access a command line can be very dangerous; for example, you don't want users running commands like DLTF CUSTOMER, which would delete your Customer file. A user who has command line access can run any CL command that he or she is authorized to run at the command line interface.

IBM allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB(Limit Capabilities) attribute of the user profile. To create a user that has limited command line capabilities, you use the CRTUSRPRF(Create User Profile) command as shown here:

CRTUSRPRF... LMTCPB(*YES)

The common misconception regarding users with limited capabilities( i.e. LMTCPB(*YES) ) is that we think that these users cannot run any ad-hoc CL command, such as

WRKSPLF   or   DLTF CUSTOMER

But, in reality, a user with limited capabilities CAN run CL commands using several methods which we will discuss in this article.

Did you know that IBM ships certain CL commands with a special command attribute that specifies that Limited Capability users are allowed to run the command at a shell command line.

These commands include:

  • Sign Off (SIGNOFF)
  • Send Message (SNDMSG)
  • Display Messages (DSPMSG)
  • Display Job (DSPJOB)
  • Display Job Log (DSPJOBLOG)
  • Work with Messages (WRKMSG)

The Command Attribute ALWLMTUSR

You can examine the command definition of a CL command using the command DSPCMD(Display Command). To examine the command DSPMSG(Display Message), you could use the following command.

DSPCMD DSPMSG

On the resulting display you will see that the command attribute named ALWLMTUSR (Allow Limited Users) is set to the value *YES. This setting means that the DSPMSG command can be used by Limited Capabilities users from the command line. All of the commands in the list above are shipped from IBM with the value ALWLMTUSR(*YES). Generally, all other CL commands are shipped as ALWLMTUSR(*NO), prohibiting the use of the commands at the command line by Limited Capabilities users.

Each CL command contains the ALWLMTUSR attribute, but almost all commands have the attribute set to *NO, meaning "Do Not allow Limited Capabilities Users to run the command at a command line." This is the system's default value for all newly created commands. But, as a system administrator, you can change any CL command that can be run at the command line to allow limited users to also run the command at the command line. This change is accomplished using the CL command CHGCMD(Change Command), as in the following example:

CHGCMD   CMD(WRKSPLF)     ALWMLMTUSR(*YES)

Running this command changes the IBM supplied CL command WRKSPLF(Work with Spooled Files) to allow Limited Capabilities users to run this command at a command line.

Often third-party software will install new CL commands that are set to allow limited users to run the commands with ALWMLMTUSR(*YES). It's wise to examine any newly created commands to make sure that limited users cannot run the new commands.

Read More for the details


Security Training from SecureMyi.com

In This Issue


Featured Article - Limited Capabilities?

Featured Video - Limited Capabilities??

Security Shorts - Audit The Job Scheduler

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives




Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


IBM i Security Resources

IBM Security Incident Response BLOG

IBM i Security Videos - from SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i - SecureMyi

IBM i Security Reference - 6.1

IBM i Security Reference - 7.1

IBM i Security Reference - 7.2

IBM i Security Reference - 7.3

QAUDJRN Journal Entry Types 7.3

QAUDJRN Entry Layout 7.2

QAUDJRN Entry Layout 7.3

QAUDJRN Entries by AUDLVL 7.2

QAUDJRN Entries by AUDLVL 7.3

RedBook - Security Guide for IBM i 6.1


National Vulnerability Database - NIST

PCI Security Standards Council

COBIT - ISACA

HIPAA Resources

EU GDPR Information Portal

CISSP - Certification


Follow SecureMyi on Twitter
Follow SecureMyi on LinkedIn=
Follow SecureMyi on YouTube


Training from The 400 School



Training from The 400 School

Featured YouTube Educational Video

IBM i Security

Misconceptions on User Limited Capabilities LMTCPB(*YES)

Featured Video - Misconceptions on User Limited Capabilities LMTCPB(*YES)


Security news and Events


Live Security Related Webcasts and Training for IBM i

October Events

Live Hands-On - IBM i, iSeries System Operations Workshop
with Dan Riehl

Training Workshop - October 22-24 - Presented by The 400 School, Inc.
Dan Riehl presents this 3-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries Expanded System Operations Workshop
with Dan Riehl

Training Workshop - October 22-26 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries Programming Introduction Workshop
Concepts and Facilities
with Dan Riehl

Training Workshop - October 29 - November 2 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

November Events

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - November 5-9 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries Concepts and Facilities
with Control Language Programming Workshop
with Dan Riehl

Training Workshop - November 26 - 30 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

December Events

Live Hands-On - Introduction to ILE RPG IV Programming Workshop
with Dan Riehl

Training Workshop - December 3-7 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries System Operations Workshop
with Dan Riehl

Training Workshop - December 10-12 - Presented by The 400 School, Inc.
Dan Riehl presents this 3-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop
with Dan Riehl

Training Workshop - December 13-14 - Presented by The 400 School, Inc.
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - December 17-21 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend





Training from The 400 School


Training from The 400 School


Training from The 400 School
Training from The 400 School

Security Shorts

Auditing Job Schedule Changes

By Dan Riehl - SecureMyi.com

A while ago I received an urgent call from a security services customer. Someone had added an entry to the IBM i job scheduler(WRKJOBSCDE) that caused all user profiles to be *DISABLED after ONE day of inactivity. Obviously, several user profiles became disabled.

The job schedule entry for this activity is named QSECIDL1, and is added to the job schedule when the command ANZPRFACT(Analyse Profile Activity) is run. This option is available from the SECTOOLS menu. It should be noted that several of the SECTOOLS menu options update entries on the job schedule.

The IBM i job scheduler is implemented as an object named QDFTJOBSCD. The object type is *JOBSCD. The *JOBSCD object type has limited interfaces and does not store the actual schedule in a database file. So, to track changes to the Job Scheduler, you cannot monitor a database file, instead you can audit for update access to the job schedule object using the command:

CHGOBJAUD (QUSRSYS/QDFTJOBSCD) OBJTYPE(*JOBSCD) OBJAUD(*CHANGE)

When this command is used, any update access to the job schedule will generate a journal entry in the QAUDJRN journal. The journal entry type is ZC (Object accesed for change).

In addition to auditing the job schedule object, you may also want to start auditing the Control Language commands that are used to manipulate the job schedule.

CHGOBJAUD (QSYS/ADDJOBSCDE) OBJTYPE(*CMD) OBJAUD(*ALL)

CHGOBJAUD (QSYS/CHGJOBSCDE) OBJTYPE(*CMD) OBJAUD(*ALL)

CHGOBJAUD (QSYS/RMVJOBSCDE) OBJTYPE(*CMD) OBJAUD(*ALL)

And start auditing specific CL commands that update the schedule, like:

CHGOBJAUD (QSYS/ANZPRFACT) OBJTYPE(*CMD) OBJAUD(*ALL)

When any of these commands are used, a journal entry is written to QAUDJRN. In this case the journal entry type is CD (Command string audit).


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi


IT Security and Compliance Group

  • In Depth Security Assessment of IBM i
  • Upgrade to QSECURITY level 40
  • Forensic Research and Analysis
  • Audit Assistance and Remediation
  • Security Training for IT and Audit Staff
  • Software Selection & Configuration
  • Security and Systems Programming
  • General Security and System Assistance


LIVE Training from The 400 School, Inc


Customized IBM i (iSeries, AS/400) Training -
    Presented Live at your offices


LIVE Online Hands-On Workshops

  • ILE RPG IV Programming
  • RPG/400 and RPG III Programming
  • ILE COBOL/400 Programming
  • Interactive Programming Workshops
  • System Operations Workshops
  • System Administration and Control
  • Security and Auditing Workshops
  • Control Language Programming
  • IBM i Concepts and Facilities
  • Query Workshop

Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014-2018 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017