Securing Spool Files

Let’s chat a little on the security buzzwords you need to know to access and how it affects Spool files. The good thing is we are seeing policies and laws being put in place to protect clients and organizations. Your company’s spool files can contain privileged information that could cause your clients and/or organization harm. Therefore, if we are going to protect our data using the Security Buzzwords Need To Know Access, we also need to get control over who can print, move, delete or view the spool files.

Let’s have a look at how *SPLCTL special authority assigned to User Profiles on the IBM i(AS/400) System works and how easily we can secure the spool files for Need to Know Access.

*SPLCTL special authorities actually gives the User Profile all object to every spool file(data that can be printed) on the System. Therefore when we assign *SPLCTL; that user can see all data on the system including financial and audit information.

The best way to eliminate this risk is to secure the outq’s that have the spool files in them by Need to Know Access.

The first thing that needs to be performed is testing. To test remove the *SPLCTL from the User profile and follow the below steps:

The below shows how quickly you can secure output queue’s so that only authorized User’s with Need to Know Access can view it, delete, move or print spooled files.

Output can be designated so that some users may not use it at all, some users may view or change only their own spooled files, that is, spooled files they created, and some users may view or change anything in the output queue.

Caution: Any user with *SPLCTL or *ALLOBJ special authority in the user profile can view any spooled file on the system regardless of any other measures taken to secure the output queue. Therefore *SPLCTL and *ALLOBJ special authority should be removed from all Profiles that don’t have a need to know.

*DSPDTA is Display any file.
*OPRCTL is Operator controlled.
*AUTCHK is Authority to check.
*DTAAUT means that authority to spooled files in the output queue is determined by authority to the output queue object itself.

Opt   Object   Type     Library     Attribute   Text
__    RAYOUTQ  *DEVD     QSYS        PRTLCL
__    RAYOUTQ  *OUTQ     QUSRSYS
__    RAYOUTQ  *MSGQ     QGPL

Type 2 next to the object of type *OUTQ to edit authority. You …