Let’s chat a little on the security buzzwords you need to know to access and how it affects Spool files. The good thing is we are seeing policies and laws being put in place to protect clients and organizations. Your company’s spool files can contain privileged information that could cause your clients and/or organization harm. Therefore, if we are going to protect our data using the Security Buzzwords Need To Know Access, we also need to get control over who can print, move, delete or view the spool files.
Let’s have a look at how *SPLCTL special authority assigned to User Profiles on the IBM i(AS/400) System works and how easily we can secure the spool files for Need to Know Access.
*SPLCTL special authorities actually gives the User Profile all object to every spool file(data that can be printed) on the System. Therefore when we assign *SPLCTL; that user can see all data on the system including financial and audit information.
The best way to eliminate this risk is to secure the outq’s that have the spool files in them by Need to Know Access.
The first thing that needs to be performed is testing. To test remove the *SPLCTL from the User profile and follow the below steps:
The below shows how quickly you can secure output queue’s so that only authorized User’s with Need to Know Access can view it, delete, move or print spooled files.
Output can be designated so that some users may not use it at all, some users may view or change only their own spooled files, that is, spooled files they created, and some users may view or change anything in the output queue.
| Caution: Any user with *SPLCTL or *ALLOBJ special authority in the user profile can view any spooled file on the system regardless of any other measures taken to secure the output queue. Therefore *SPLCTL and *ALLOBJ special authority should be removed from all Profiles that don’t have a need to know. |
*DSPDTA is Display any file.
*OPRCTL is Operator controlled.
*AUTCHK is Authority to check.
*DTAAUT means that authority to spooled files in the output queue is determined by authority to the output queue object itself.
Opt Object Type Library Attribute Text
__ RAYOUTQ *DEVD QSYS PRTLCL
__ RAYOUTQ *OUTQ QUSRSYS
__ RAYOUTQ *MSGQ QGPL
Type 2 next to the object of type *OUTQ to edit authority. You will see something similar to the following:
Object
User Group Authority
JOE *CHANGE
QSPL *CHANGE
MIKE *USE
*PUBLIC *EXCLUDE
Users with authority of *CHANGE, such as JOE, can view, move, print, change, delete any item in the output queue, regardless of whether they created it themselves.
Users with authority of *USE, such as MIKE, can view, print, change, delete, and so on, only items in the output queue that they created themselves.
Users with authority of *EXCLUDE, such as *PUBLIC, cannot view, print, change, delete, and so on, anything on the output queue. They cannot create anything on the output queue and cannot move anything into the output queue.
Any user not specifically designated (that is, any user who has no private authority) fall under the authority of *PUBLIC. Since the majority of users are normally kept out of a sensitive output queue, the authority for *PUBLIC is usually *EXCLUDE on a secured output queue.
To add additional users to the list of those with authority to the output queue, press F6.
Object
User Authority
_______________ ______________
Source: https://www.ibm.com/support/pages/securing-output-queue
.
More from this month:
- Consuming Journal Receiver Data Easily with SQL
- Yes or No to Managed Service Providers?
- iTech iTip Videos
- Sips & Tricks: Coffee with iTech
- iBasics: IBM i Education for the Beginner System Administrator
- Let iTech Take You Out to the Ballgame ⚾
- Upcoming Events
- iAdmin Spring 2022 – Register Now!
- iTech Spotlight
- IBM i, FSP, and HMC release levels and PTFs (April 2022)
