The System i OS includes a wealth of CL commands, many of which provide access to critical and sensitive system and security functions. IBM puts a lot of effort into restricting access to these commands by setting public authority adequately and, if necessary, requires additional user profile special authority in order to successfully execute the commands in question.
The command’s public or private object authority could however for some reason be changed at a later point and so could the command’s Allow limited user attribute, which normally excludes common user profiles from running most system commands. Add to this the number of user created commands that exist on most systems and you’re looking at quite a challenge in order to manage, monitor and audit access to the CL commands on an average System i.
To ease this task I’ve written the Work with Command Security (WRKCMDSEC) command, which allows you to locate and list CL commands of particular interest based on an array of selection criteria, including the aforementioned public authority and allow limited user setting, as well as the presence of a validity checking program, command call state, proxy command status, command creator domain and command change date. The resulting list can be either displayed in a work with-panel or produce a printed list or an output file.
Articles on Apis 