Securing Spool Files

Let’s chat a little on the security buzzwords you need to know to access and how it affects Spool files. The good thing is we are seeing policies and laws being put in place to protect clients and organizations. Your company’s spool files can contain privileged information that could cause your clients and/or organization harm. Therefore, if we are going to protect our data using the Security Buzzwords Need To Know Access, we also need to get control over who can print, move, delete or view the spool files.

Let’s have a look at how *SPLCTL special authority assigned to User Profiles on the IBM i(AS/400) System works and how easily we can secure the spool files for Need to Know Access.

*SPLCTL special authorities actually gives the User Profile all object to every spool file(data that can be printed) on the System. Therefore when we assign *SPLCTL; that user can see all data on the system including financial and audit information.

The best way to eliminate this risk is to secure the outq’s that have the spool files in them by Need to Know Access.

The first thing that needs to be performed is testing. To test remove the *SPLCTL from the User profile and follow the below steps:

The below shows how quickly you can secure output queue’s so that only authorized User’s with Need to Know Access can view it, delete, move or print spooled files.

Output can be designated so that some users may not use it at all, some users may view or change only their own spooled files, that is, spooled files they created, and some users may view or change anything in the output queue.

Caution: Any user with *SPLCTL or *ALLOBJ special authority in the user profile can view any spooled file on the system regardless of any other measures taken to secure the output queue. Therefore *SPLCTL and *ALLOBJ special authority should be removed from all Profiles that don’t have a need to know.

*DSPDTA is Display any file.
*OPRCTL is Operator controlled.
*AUTCHK is Authority to check.
*DTAAUT means that authority to spooled files in the output queue is determined by authority to the output queue object itself.

Opt   Object   Type     Library     Attribute   Text
__    RAYOUTQ  *DEVD     QSYS        PRTLCL
__    RAYOUTQ  *OUTQ     QUSRSYS
__    RAYOUTQ  *MSGQ     QGPL

Type 2 next to the object of type *OUTQ to edit authority. You will see something similar to the following:

Object
User        Group Authority
JOE           *CHANGE
QSPL         *CHANGE
MIKE         *USE
*PUBLIC        *EXCLUDE

Users with authority of *CHANGE, such as JOE, can view, move, print, change, delete any item in the output queue, regardless of whether they created it themselves.

Users with authority of *USE, such as MIKE, can view, print, change, delete, and so on, only items in the output queue that they created themselves.

Users with authority of *EXCLUDE, such as *PUBLIC, cannot view, print, change, delete, and so on, anything on the output queue. They cannot create anything on the output queue and cannot move anything into the output queue.

Any user not specifically designated (that is, any user who has no private authority) fall under the authority of *PUBLIC. Since the majority of users are normally kept out of a sensitive output queue, the authority for *PUBLIC is usually *EXCLUDE on a secured output queue.

To add additional users to the list of those with authority to the output queue, press F6.
Object
User Authority
_______________ ______________

Source: https://www.ibm.com/support/pages/securing-output-queue

 

 

 

.

More from this month:

Leave a Comment

Your email address will not be published.