In my last tip, I talked about controlling access to spool files through implementation of OS/400 object authority at the output queue level. In this tip, I'll be taking a look at three additional parameters that are associated with OS/400 output queues that can extend the level of control you have over sensitive reports on your system.
Here are the three parameters in question:
- Display any file (DSPAUT)
- Operator controlled (OPRCTL)
- Authority to check (AUTCHK)
Those parameters work to give you more control over access to spool files beyond what is available through object-level controls on the output queue.
One thing to keep in mind is the proliferation of user profiles with special authority of *SPLCTL. That is the equivalent of the evil *ALLOBJ authority -- as applied to spool files. You should restrict granting *SPLCTL to only those user profiles where it is absolutely required. As you read on in this tip remember that if a user profile has *SPLCTL authority, then he can cut through these restrictions because they will not apply (with one exception as noted).
Display any file (DSPDTA) is intended to protect the contents of a spool file by setting authority requirements. There are three values available: *YES, *NO and *OWNER. Each provides progressively increased levels of authority requirements to view, copy or send spool files in the output queue. *YES allows anyone with READ authority to work with files in the output queue. *NO restricts that to the owner, those with *CHANGE authority and those with *SPLCTL special authority. *OWNER further limits that to just the owner profile and any profile with *SPLCTL authority.
Operator controlled (OPRCTL) controls whether or not a user with *SPLCTL special authority is allowed open access to this output queue. The default value on the Create Output Queue (CRTOUTQ) command in OS/400 is *YES, which is why most output queues are open season for users with *SPLCTL authority. Changing that value to *NO will force normal object authority rules to control access to the output queue. If you have an output queue with sensitive information stored and you are concerned about *SPLCTL users gaining access, OPRCTL is the key parameter value that can save the day for you.
Authority to check (AUTCHK) controls how users with *CHANGE authority to the output queue will be given access to change, delete or copy spool files in the queue. When that is set to *OWNER, only the owner profile of the spool file can change or delete spool files. Using the value of *DTAAUT changes that control so it looks at object-level controls for the output queue.
Using the above parameters intelligently can give you much added control over how users access (or don't access) spool files on your system. Using them in combination can be a little confusing. If you look in your OS/400 Security Reference manual under the Work Management section on Securing Spool Files, you will find a full page chart for this set of parameters and how they can be used in combination to achieve your specific objectives.
If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All e-mail messages will be answered.
---------------------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
