In today's security-conscious environment, most iSeries-AS/400 shops have been busy investing in improved security for their systems. Object-level security is being locked down and users are being classified as to what they can and cannot do when they are logged onto the system. But securing files is only part of the problem. If a user can't look at a file, but can look at processed output sitting in a print-spool file, then your hard work of locking up the files could be all for naught.
There are a number of things you can do to control spool-viewing abuses. For starters, review your user profiles to see which users have the special authority of *SPLCTL or *JOBCTL. Both of these special authorities can give a user access to spool files. Only security officers and system operators should have these authorities. In a smaller shop, this might also extend to your programmers. Generally speaking, however, most users should not be given these authorities unless the absolutely must manage their own print spool files and job controls. As a first step, these authorities should be limited as much as possible, especially the *SPLCTL authority as it is not subject to any restrictions and allows the user access to all spool files on your system.
Output spool files are special objects on your system and are not, per se, created with standard OS/400 security controls. You can control security on spool files through the way you set up and authorize output queues. If you have output reports with sensitive information, you can control who can see them through the output queue where the report is stored. Output queues are created using the CRTOUTQ (Create Data Queue) command and they can be changed using the CHGOUTQ (Change Data Queue) command. You can view the way an output queue is configured with the WRKOUTQD (Work with Output Queue Description) command.
The user profile that creates the report can always view it and control it. Sensitive reports should be created using a restrictive user profile to prevent widespread use of the spool file. To impose even stricter security, there are several parameters you can set when you create an output queue that will provide more control:
DSPDTA - Helps to protect the contents of spool files by defining who can display, copy, move or send a spool file in the output queue
AUTCHK - Defines what authority is needed to change or delete a spool file
OPRCTL - Defines whether a user profile with *JOBCTL authority can work with spool files in the output queue.
Using these three parameters, you can impose very restrictive access controls to spool files associated with an output queue. The OS/400 Security Reference guide contains a chart showing how the three parameters work together.
Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the AS/400 market.
