It is possible to execute arbitrary commands on a server via the Windows Client, so it may be important for the System Administrator to limit access to this feature. This is controlled by using the COMMAND 'Subsys' with the GRANT and REVOKE parameters. However, there is some interaction between other subsystems that must be considered:
The Automated Analyst can execute commands. If access to execute commands is completely revoked, then Automated Analyst processes will not be able to execute commands. Analysts run commands as the user who started the Analyst, so if a particular user is given access to start Analysts, that user should also be given access to run commands.
The Extractor can also execute commands, and it runs commands as the user who started Prognosis. If a user has access to start the EXTRACTOR Configuration, that user could then run arbitrary commands as the user who started Prognosis. Therefore, if a user is to be forbidden from running shell commands, that user should also have access to the EXTRACTOR Configuration revoked.
The COMMAND subsystem is also used to control access to the Tivoli Console and Dispatch Manager command destinations. Therefore, to prevent a user from executing Shell commands, the Shell command destination should be named explicitly to avoid also revoking access for that use to Tivoli and Dispatch Manager commands (unless it is also desired to revoke access to those features).