How to restrict all users to access command line in as400?

How to restrict all users to access command line in as400?

Restricting All Users From Using the Command Line

Troubleshooting

Problem

This article includes information on restricting users from being able to type commands on the command line.

Resolving The Problem

To limit users from using the command line, do the following for each user profile:

1. Issue the CHGUSRPRF command (<F4>) to prompt the command, then select <F10> for additional parameters.

2. Change the Limit Capabilities to *YES. This will prevent users from using the command line.

Users will still be authorized to some commands; however, they will only be able to use those commands from a menu. Every command has an "Allow Limited User" parameter. By default, this is set to *NO. The following commands are an exception and are shipped with *YES. These commands are SIGNOFF, SNDMSG, DSPMSG, DSPJOB, DSPJOBLOG, STRPCO, and WRKMSG. To view what the 'Allow Limited User parameter is set to for a specific command, use the DSPCMD command and enter the command in question.

Note: The limited capabilities apply only to the i5 OS command line. If limited capabilities for the user profile is set to *YES and Allow Limited User is set to *NO for the command, but the user is still able to run the command, they may be using a third-party command line. You should try CALL QCMD to get to the i5 OS command line and issue the command again.

How to limit user profile to access command line?

Limit Capability :- LMTCPB parameter tells the OS400 two things. First, it tells the OS400, if the user can make changes to ITLPGM, ITLMNU and current library values. Secondly, it says the OS400 if the user has access to command line.

When it is set to *NO, the user can make changes to ITLPGM, ITLMNU , current library and ATTN key values and also it can use the command line to run AS400 commands.

When it is set to *PARTIAL, the USER cannot make any changes to ITLPGM, ITLMNU, current library and ATTN key value but it has access to command line and can run AS400 commands.

When it is set to *YES, the user has neither access to make any changes to ITLPGM, ITLMNU and current library nor it can access command line.

These three parameters ITLPGM, ITLMNU and LMTCPB have ability to restrict users. For example, for the server users who do not require to access the green screen 5250 emulator, can have ITLPGM as *NONE, ITLMNU as *SIGNOFF and LMTCPB as *YES. They can still access AS400 from other server which are connected to AS400. However, if the same user tries to access the AS400 from 5250 emulator, it will immediately bring the user to signoff screen thus restricting access to AS400 and command line.