Security and Systems Management Newsletter for the IBM i                 September 12, 2013 - Vol 3, Issue 35
Security from
Security Study

iSecurity from SEA

Security? See how SKYVIEW PARTNERS can help!

Feature Article

Misconceptions of the *SECOFR User Class

By Dan Riehl -

When we create user accounts on the IBM i, we use the command CRTUSRPRF(Create User Profile). One of the attributes of a user profile is the User Class. The choices are *SECOFR, *SECADM, *SYSOPR, *PGMR or *USER. The Security Officer(*SECOFR) user class does not make the user powerful, just as the user class of System Operator(*SYSOPR) does not convey any power to the user to manage the operations of the system.

Just What Does the User Class Really Do?

The User Class assigned to a user does two major things. 1) It confuses IT auditors, and 2) it determines what menu options are displayed on IBM supplied menus. You can easily see the result of User Class and Menus on the IBM supplied MAIN menu. If a user runs the command GO MAIN, some menu options will be shown, others may not be shown, all based upon the user's assigned User Class.

In another example, consider the IBM supplied menu named SECURITY. To access the menu the user runs the command GO SECURITY. If the user has a User Class of *USER, only one menu option is shown, "Change your Password". On the other hand, if the user has a User Class of *SECOFR, all options on the SECURITY menu are displayed. But, just because a menu option is shown, does not mean the user has the authority to exercise the menu option. For example, option 8 from the SECURITY menu runs the command, GO SECTOOLS. Unless the user has *ALLOBJ special authority, or is specifically granted a private authority to the SECTOOLS menu, selecting option 8 from the menu will result in an error message "Not Authorized to object SECTOOLS". The SECTOOLS Menu ships from IBM with an authority of *PUBLIC AUT(*EXCLUDE).

Why the Confusion?

The user profile attribute that provides *ALLOBJ, and other powerful operational capabilities is NOT the User Class, it is the User Profile attribute named Special Authority(SPCAUT).

The main reason for confusion on the pupose of the User Class attribute is that when we create user profiles we typically specify the command as follows:


Here we create a powerful user by specifying that the user has all of the special authorities(SPCAUT) of the *SECOFR User Class(USRCLS). When we specify *USRCLS for the special authority attribute, the User Class is used to determine which special authorities as User receives. However, we could have created the user profile with no special authorities at all by setting the special authorities to *NONE, as in the following command.


Read More

In This Issue

Featured Article - The User Class

Security Shorts - Using RMTCMD.exe

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor


    Skyview Partners, Inc

    Software Engineering of America

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

OSF - DataLoss DB

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

iSecurity from SEA

Security Study

Security news and Events

Industry News

Joan Ross takes the Helm at Townsend Security

Townsend Security announced that it has appointed Joan Ross as Chief Executive Officer. Patrick Townsend, founder and previous Chief Executive Officer will assume the role as Chief Technology Officer.

More Information

Live Security Related Webcasts and Training for IBM i

September Events

IFS Security - Don't Leave Your Server Vulnerable!
Live Webcast - Presented by PowerTech
Tuesday, September 17 1:00pm CDT
More Information and Register to Attend

October Events

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i
with Dan Riehl

Training Workshop - October 2-3
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl

Training Workshop - October 7-10
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

2013 IBM Power Systems Technical University at Enterprise2013
Sponsored by IBM - (ed. This is the newest name for the IBM Technical Conference)
Orlando, FL, October 21-25
More Information and Register to Attend

Security? See how SKYVIEW PARTNERS can help!

Live Training for IBM i

Security Shorts

Using RMTCMD.exe to Run multiple CL Commands

By Dan Riehl

I have written often about using the IBM i Access command RMTCMD.exe to send commands from your Windows or Linux system to IBM i. But did you know you could also send multiple commands with one execution of the RMTCMD.exe?

The Syntax used to send multiple commands is:

rmtcmd /I rmtcmds.txt

(Where rmtcmds.txt is the name of a text file containing the list of commands to be executed.)

Here is an example.

Using Notepad, enter the Control Language commands that are to be executed, and save to a text file. Here's an example you can try.


Run the rmtcmd.exe specifying the name of the file which contains the commands.

C:\>rmtcmd /I rmtcmds.txt

Here is the result. (Note: You may be prompted to Logon, depending on your IBM i Access settings.)

IBM i Access for Windows
Version 7 Release 1 Level 0
Submit Remote Command
(C) Copyright IBM Corporation and Others 1984, 2010. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Licensed Materials - Property of IBM

The remote system name is MYSYSTEM.
CPC2102 - Library MYTESTLIB created.
CPC7301 - File MYTESTFILE created in library MYTESTLIB.
CPC7305 - Member MYTESTFILE added to file MYTESTFILE in MYTESTLIB.
CPI2201 - Authority given to user *PUBLIC for object MYTESTLIB in QSYS object type *LIB.
CPC2201 - Object authority granted.
CPC1221 - Job 115263/MYUSER/MYTEST submitted to job queue QBATCH in library QGPL.

RMTCMD.exe Security Implications

While the RMTCMD.exe is great in functionality, it also brings with its functionality, a serious security issue that you will want to be aware of.

Limited Capabiliy Users (LMTCPB(*YES)) can run CL Commands using RMTCMD.exe. The RMTCMD.exe does not honor the LMTCPB attribute of a User Profile.

For more information on this topic, see the article Misconceptions of Command Line Access and Limited Capabilities Users in the July 5, 2012 issue of the SecureMyi Security Newsletter.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 -, all rights reserved | St Louis MO 63017