You don't hear as much about the user profile setting of "limited capabilities" as you used to in the early days of OS/400. In the early releases, configuring users' initial program to launch them directly into the appropriate application as well as setting users' initial menu to *SIGNOFF and their limited-capability attribute to *YES was about all an administrator had to do to make sure the data residing on an AS/400 was secure. Those days are long gone, but the importance of using these user profile attributes isn't. Just because there are many ways in today's i5/OS world for a user to gain access to data beyond a menu environment and a good dose of object-level security is required to secure data doesn't mean you shouldn't take advantage of the features these attributes provide. Let's take a look.
The most popular task performed by a user's initial program is to launch the user into the appropriate application menu. However, I've seen initial programs perform many tasks: setting up a library list, adopting authority to set up the user's authority to use the application, and configuring various job attributes.
When a user signs on to the system, the initial program, if defined, runs first; then the initial menu is presented. If the initial program establishes the user's menu environment, what should the initial menu be used for? To tell i5/OS that when the initial program ends (i.e., the user exits the initial program), the user is to be immediately signed off. If you use this feature, the users can't "wander" around the system; they're confined to the menus to which they're assigned. Specify *SIGNOFF for the initial menu attribute to cause users to be signed off when exiting their initial program.
Even though the limited capability parameter is ignored by some of the TCP/IP servers (such as the remote command server), you should still use this parameter to limit the commands a user can enter from a command line.
Limited capability *YES means that users can run only commands that have been configured to be run by a limited capability user. i5/OS ships a handful of commands that a limited capability user can run: Sign Off (SIGNOFF), Send Message (SNDMSG), Display Message (DSPMSG), Display Job (DSPJOB), Display Job Log (DSPJOBLOG), Start PC Organizer (STRPCO), and Work with Messages (WRKMSG). Also, when users sign on to the system, they cannot change their initial program, initial menu, current library, or attention key program.
*PARTIAL means they can't change their initial program, current library, and attention program but can change their initial menu and run commands. Quite honestly, I've never understood the benefits of setting a user to *PARTIAL. To me, it's as wide open as setting the value to *NO, which means the user can change all settings previously described as well as enter all commands.
You should review users' limited capability settings, setting as many users as possible to *YES to control who can enter commands from a command line as well as from FTP's remote command function.
How Policy Minder Can Help
As you define a user profile policy template, you can define how the user's initial program, initial menu, and limited capability attributes are to be configured. When you run a compliance check against the user profile template, Policy Minder will identify which profiles' attributes don't match your policy and which attributes cause them to be non-compliant. You can manually change the user profiles by using the Change User Profile (CHGUSRPRF) command, or you can enable and run the Policy Minder FixIt function to have Policy Minder make the attribute changes. All changes made through Policy Minder are logged in the Message log along with the attribute's previous value.
I recommend that you run the Policy Minder initialize function (option 60 from the main menu) on the Commands for Limited Users category. Initialization will gather the commands that are currently configured to be run by a user whose limited capability setting is *YES. Review this list; you may be surprised by the commands vendors or developers may have changed to allow a limited capability user to run. Once you're comfortable that this list reflects your policy requirements, run a compliance check on this category at least monthly to ensure all commands stay compliant with your command policy.
Carol Woodbury is president and co-founder of SkyView Partners Inc., a company specializing in security policy and compliance software and services. Carol is a system security expert, a noted author, and an award-winning presenter. Along with Pat Botz, Carol is the author of Experts' Guide to OS/400 and i5/OS Security.