Do your users have "limited capability," or do you just think they do?

You don't hear as much about the user profile setting of "limited capabilities" as you used to in the early days of OS/400. In the early releases, configuring users' initial program to launch them directly into the appropriate application as well as setting users' initial menu to *SIGNOFF and their limited capability attribute to *YES was about all an administrator had to do to make sure the data residing on an AS/400 was secure.

Those days are long gone, but the importance of using these user profile attributes isn't. Sure, there are many ways in today's IBM i world for a user to gain access to data beyond a menu environment, and a good dose of object-level security is required to secure data. But that doesn't mean you shouldn't take advantage of the features these attributes provide.

Let's take a look.

Initial Program

The most popular task performed by a user's initial program is to launch the user into the appropriate application menu. However, I've seen initial programs perform many tasks: setting up a library list, adopting authority to set up the user's authority to use the application, and configuring various job attributes.

Initial Menu

When a user signs on to the system, the initial program, if defined, runs first, and then the initial menu is presented. So if the initial program establishes the user's menu environment, what should the initial menu be used for? To tell the OS that when the initial program ends--i.e., the user exits the initial program--the user is to be immediately signed off. This feature prohibits users from "wandering" around the system. Rather, they're confined to the menus to which they've been assigned. Specify *SIGNOFF for the initial menu attribute to cause users to be signed off when exiting their initial program.

Limited Capability

Even though the limited capability parameter is ignored by some of the TCP/IP servers (such as the remote command server), you should still use this parameter to limit the commands a user can enter from a command line.

Limited capability *YES means that users can only run commands that have been configured to be run by a limited-capability user. IBM i ships a handful of commands that a limited capability user can run: Sign Off (SIGNOFF), Send Message (SNDMSG), Display Message (DSPMSG), Display Job (DSPJOB), Display Job Log (DSPJOBLOG), Start PC Organizer (STRPCO), and Work with Messages (WRKMSG). Also, when users sign on to the system, they cannot change their initial program, initial menu, current library, or attention key program.

*PARTIAL means users can't change their initial program, current library, and attention key program but can change their initial menu and run commands. Quite honestly, I've never understood the benefits of setting a user to *PARTIAL. To me, it's as wide open as setting the value to *NO, which means the user can change all settings previously described as well as enter all commands. You should review users' limited-capability setting, setting as many users as possible to *YES to control who can enter commands from a command line as well as FTP's remote command function.

How Policy Minder Can Help

User Profile Policy Templates

As you define a user profile policy template, you can define how a user's initial program, initial menu, and limited-capability attributes are to be configured. When you run a compliance check against the user profile template, Policy Minder will identify any profile whose attributes don't match your policy and also identify which attributes cause them to be non-compliant. You can choose to manually change the user profiles by using the Change User Profile (CHGUSRPRF) command, or you can enable and run the Policy Minder FixIt function to have Policy Minder make the attribute changes. All changes made through Policy Minder are logged in the Message log along with the attribute's previous value.

Commands for Limited Users

I recommend that you run the Policy Minder initialize function (option 60 from the main menu) on the Commands for Limited Users category. Initialization will gather the commands that are currently configured to be run by a user whose limited-capability setting is *YES. Review this list; you may be surprised to discover that vendors or developers have changed commands to allow limited-capability users to run them. Once you are confident that this list reflects your policy requirements, run a compliance check on this category at least monthly to ensure that all commands stay compliant with your command policy.

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3^rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.

---

MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

		IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
		Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale