Security and Systems Management Newsletter for the IBM i             April 9, 2014 - Vol 4, Issue 6
Security Training from

Security software from Powertech

Skyview Partners

Security Training from The 400 School

Feature Article

The Reality of User Limited Capabilities LMTCPB(*YES)

By Dan Riehl -

In speaking to many security analysts over the years, it is obvious that there is a BIG Disconnect on what the "Limited Capabilities" attribute of the user profile actually does. In this article, I hope to dispel these potentially dangerous misconceptions.

In this issue of the SecureMyi Security Newsletter, the Featured YouTube Video presents a video discussion of this important topic.

What IS Limited Capabilities?

System users can gain access to the IBM i shell command line through various IBM-supplied screens, including most IBM menus, the Work with Spooled Files (WRKSPLF) command display, the Work with User Jobs (WRKUSRJOB) command display, and numerous other commands and facilities.

Allowing users to access a command line can be very dangerous; for example, you don't want users running commands like DLTF CUSTOMER, which would delete your Customer file. A user who has command line access can run any CL command that he or she is authorized to run at the command line interface.

IBM allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB(Limit Capabilities) attribute of the user profile. To create a user that has limited command line capabilities, you use the CRTUSRPRF(Create User Profile) command as shown here:


The common misconception regarding users with limited capabilities( i.e. LMTCPB(*YES) ) is that we think that these users cannot run any ad-hoc CL command, such as


But, in reality, a user with limited capabilities CAN run CL commands using several methods which will be discussed in this article.

Did you know that IBM ships certain CL commands with a special command attribute that specifies that Limited Capability users are allowed to run the command at a shell command line.

These commands include:

  • Sign Off (SIGNOFF)
  • Send Message (SNDMSG)
  • Display Messages (DSPMSG)
  • Display Job (DSPJOB)
  • Display Job Log (DSPJOBLOG)
  • Work with Messages (WRKMSG)
  • Work with Environment Variables (WRKENVVAR)

Read More

In This Issue

Featured Article - Limited Capabilities?

Security Shorts - Viewing Group Profiles

Featured Video - Limited Capabilities

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor


    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Software from Cilasoft

Security software from Powertech

Featured YouTube Educational Video

IBM i Security

Misconceptions on User Limited Capabilities LMTCPB(*YES)

Featured Video - Misconceptions on User Limited Capabilities LMTCPB(*YES)

Security news and Events

Live Security Related Webcasts and Training for IBM i

April Events

The Hacker's View of Cyber Security
With Mel Beckman and Robin Tatam

Live Webcast - Presented by iProDeveloper
Sponsored by Powertech
Tuesday, April 29 1:00pm CDT
More Information and Register to Attend

April 29 - May 1 - InfoSecurity EUROPE 2014
Earl's Court, LONDON
Free to Attendees - 325 Exhibitors
Look for Cilasoft which is exhibiting at this event
For More Information

May Events

May 4-7 - COMMON - A User Group
2014 Annual Conference and Exposition - Orlando, FL
More Information and Register to Attend

Coffee with Carol: with Carol Woodbury
Security Considerations for Application Development including PCI Requirements

Live Webcast - Presented by Skyview Partners
Wednesday, May 14 10:00am CDT
More Information and Register to Attend

June Events

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Training Workshop - June 2-6 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Coffee with Carol: with guest presenter Patrick Townsend
Encrypting Data with FIELDPROC - No Application Changes!

Live Webcast - Presented by Skyview Partners
Thursday, June 12 10:00am CDT
More Information and Register to Attend

Skyview Partners

Security Training from The 400 School

Security Shorts - Group Profiles - Who's Who?

By Dan Riehl

A User Profile can be a member of a Primary Group Profile, and also a member in up to 15 Supplemental Groups. Since a member of a Group inherits all authorities and special authorities from their Group(s), it's very important to know who is in what Groups.

When you need a list of all the users who belong to a particular group profile, it's easy to get. Just use the DSPUSRPRF (Display User Profile) command as follows:


For GroupProfileName, substitute the name of the group profile for which you want to list the group members.

If you want a full system listing of members of all group profiles you can use the command DSPAUTUSR(Display Authorized Users) as follows:


For a nice GUI look into your users and groups, IBM i Navigator for Windows( aka Operations Navigator) provides the nicest presentation.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

IT Security and Compliance Group

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

ILE RPG IV Programming Workshop
RPG/400 Programming Workshop
IBM i COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Audit Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Security Services from

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 -, all rights reserved | St Louis MO 63017