July 10, 2012 - Vol 2, Issue 12
Cilasoft EAM - Control Powerful Users

Due to the Independence Day Holiday in the U.S. last week, the Newsletter is being Published on July 10, instead of the originally scheduled date of July 4, 2012

Feature Article

Misconception - Command Line Access

and   "Limited Capabilities" Users

By Dan Riehl

System users can gain access to the IBM i shell command line through various IBM-supplied screens, including most IBM menus, the Work with Spooled Files (WRKSPLF) command display, the Work with User Jobs (WRKUSRJOB) command display, and numerous other commands and facilities.

Allowing users full command-line access is dangerous; for example, you don't want users running commands like DLTF CUSTOMER, which would delete your production customer file. A user who has command line access can run any CL command that he or she is authorized to run.

IBM allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB(Limit Capabilities) attribute of the user profile. To create a user that has limited command line capabilities, you use the CRTUSRPRF(Create User Profile) command as shown here:


The common misconception regarding users with limited capabilities( i.e. LMTCPB(*YES) ) is that we think that these users cannot run any ad-hoc CL command, such as


But, in reality, a user with limited capabilities CAN run selected CL commands when provided with a command line. IBM ships certain CL commands with a special command attribute that specifies that limited capability users are allowed to run the command at a command line.

These commands include:


See the Featured Video in this issue - Misconceptions on User Limited Capabilities

IBM i Security - Top Industry News

Help/Systems Acquires Safestone Technologies Ltd.

Help/Systems, has completed another major acquisition in the IBM i Security/Compliance space with the addition of Safestone. Only a few years ago, Help/Systems acquired both Powertech and Bytware, two of the top players in the IBM i security/compliance space.

Help/Systems has long been a premier software provider for IBM i Operations Automation software with their Robot line of products including the popular Robot SAVE and Robot SCHEDULE. They launched into the IBM i security space in 2007 with the introduction of Robot SECURITY. The later acquisitions of Powertech and Bytware provided the boost to be a top player in the IBM i security/compliance space. With the addition of Safestone, it is clear that Help/Systems now holds the majority market share of IBM i Security and Compliance software installations around the globe.

The UK based Safestone has best been known for their DetectIT brand of security and compliance software for the IBM i. In recent years Safestone has broadened their reach past the IBM i space with "Compliance Center for IBM Power Systems" providing support for IBM i, AIX and Linux. In addition to providing AIX technical expertise and mature software products, Safestone brings a large international customer base to the table.

"Safestone’s large customer base and years of experience in security are a great fit for PowerTech and Help/Systems," explains Robin Tatam, Director of Security Technologies for The PowerTech Group. "The acquisition of Safestone allows us to retain a leading-edge technology and deliver the most innovative and comprehensive solutions for our customers’ security needs."

It is evident that Help/Systems, like other IBM i vendors are looking to AIX to provide important steps for growth.

View the Offical Press Release

In This Issue

Featured Article - Limited Capabilities

Security Shorts - Watch out for CHGPRF!

Featured Video - Limited Capabilities

Industry News and Calendar

Security Resources

Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i?   Visit RZKH.de

Please Visit Our Sponsors

Platinum Sponsor
      Cilasoft Security Solutions

Gold Sponsor
      The PowerTech Group

      Skyview Partners, Inc

      The 400 School, Inc

IBM i Security and Audit Resources

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

IBM i Security News Bytes

See The Top Industry News - Above

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

How to Track Sensitive Database Changes at the Field Level
Webcast - Sponsored by Cilasoft Security Solutions and Read Technologies
Wednesday July 18 10:00 AM CDT
More Information and Register to Attend

Configuring and Using IBM i Auditing Functions
Webcast - Sponsored by Powertech
Thursday July 19 1:00 PM CDT
More Information and Register to Attend

IBM i: Achieving PCI 2.0 Compliance with Virtual and Cloud Computing
iProDeveloper Webcast - Featuring Mel Beckman - Sponsored by Enforcive
Thursday July 26 11:00 AM CDT
More Information and Register to Attend

Live 4-Day Hands-On Expanded Security Workshop for IBM i
Full Length Training Workshop - August 21-24 9:00am - 4:00pm Central Time
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i.
More Information and Register to Attend

Featured YouTube Educational Video

IBM i Security

Misconceptions on User Limited Capabilities LMTCPB(*YES)

Featured Video - Misconceptions on User Limited Capabilities LMTCPB(*YES)

Powertech 2012 Security Study for IBM i

Security Shorts -

Watch out for CHGPRF!

By Dan Riehl

Did you know that your end users and IT staff members may be able to change their own user profile?

Just like users can run the CHGPWD(Change Password) command to change their own password, they can run the CHGPRF(Change Profile) command to change their own user profile.

Almost all user profile attributes can be changed using this command. Certain attributes like Group Profile and Supplemental Group Profile cannot be changed. But that's little consolation when we find that our end users can change their initial program, initial menu, current library, job description, attention program, etc.

The CHGPRF command ships from IBM as *PUBLIC use, so it is available for general use. As you might suspect, the user must have at least *USE authority to the specified initial program, menu, job description, attention program, current library, etc. in order to make those kind of changes.

Certain parameters of the CHGPRF command are sensitive to the LMTCPB(Limit capabilities) attribute of the user's profile. For instance, if the user is LMTCPB(*PARTIAL), they cannot change their initial program, current library or attention key handling program. They can however change their initial menu and all the other attributes. If the user is LMTCPB(*YES), they cannot change their initial program, initial menu, current library or attention key program, but they can change all the rest of their profile attributes like job description, user options, output queue, printer and even the textual description of their user profile.

You may be thinking that this is not really such a big deal since the only people on your system that can run this command are IT folks and a limited number of users that have access to the command line. Users that are defined as LMTCPB(*YES) cannot enter this command on a command line, and I doubt you would place this option on their menu. But, any user that has IBM i Access(Client Access) installed on their PC can use the RMTCMD command to run the CHGPRF command. It's as simple as going to a DOS prompt and running the command:


The RMTCMD.exe on your PC does not pay any attention to the LMTCPB attribute of the user running the command. The user can run any command to which they are authorized. And, since RMTCMD is an integral part of IBM i Access, you cannot just remove it from all your PCs. It's best to write or buy an exit program for the remote command server that would control this type of activity.

My recommendation to you is to change the object authority of the CHGPRF command to make it *PUBLIC AUT(*EXCLUDE). To make that change, you can use either the EDTOBJAUT(Edit Object Authority) command or the GRTOBJAUT(Grant Object Authority) command.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts

Now Accepting Credit Cards

IBM i System Administration Jul 16-20

IBM i Security Workshop Aug 21-24

Concepts & Control Language Sep 17-21

SecureMyi.com Security Workshop

Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2012 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017