A nice feature of OS/400 is it enables you to view the contents of spool files before they have been printed or distributed electronically. For a lot of users, that saves time and paper. But not all spool files should be able to be viewed by every user. This tip takes a look at some ways to control who is allowed to see which spool files on your system.
Print spool files are special objects on your system that are stored in the QSPL library. You cannot control access at the spool file level on your OS/400 system. Access to the spool files must be controlled through the output queue that is associated with each spool file.
If you have sensitive or confidential information stored in a print spool file, the best way to secure it is to create a special output queue (or set of output queues) that are secure to a known set of users. Directing the spool file into the right output queue can sometimes be tricky. OS/400 generally checks the following sequence of things to direct the output from a job:
- the printer file
- job attributes
- user profile
- workstation device description
- system print device (QPRTDEV) system value
To direct your sensitive output to the right output queue, your best bet is to specify it in the printer file being used by your application.
Output queues can be created in any library on your system. Output queues for printer devices generally get created in the QUSRSYS library, but you are not limited by that. To improve security, create your secure output queue in a separate library that has limited access at the library level.
Once the output queue has been created, you can then limit access to it using the Grant Object Authority (GRTOBJAUT) command and Edit Object Authority (EDTOBJAUT) command. To specifically limit general access to the output queue, the PUBLIC setting for the *OUTQ object must be set to *EXCLUDE. Then, in the individual user authorities, you can provide access for specific user profiles or group profiles.
You should also note that user profiles with the special authority of *SPLCTL will be able to view and work with spool files regardless of their access control limitations to your secure output queue. This is a form of all object authority, but applied to only spool files. You should limit the number of profiles on your system that have the *SPLCTL authority in order to maintain the security of your sensitive output queues.
The output queue also has a special setting called the "Display Data" (DSPDTA) parameter that can be used to control viewing spool files. When you set it to *NO, only the spool file owner profile can view the contents of the spool files in the output queue. You can check the value of this parameter using the Work with Output Queue Description (WRKOUTQD) command to see how it is set up for your secure output queue.
There are some other intricacies covered in the OS/400 security manual. If you have any questions about this topic, you can reach me at firstname.lastname@example.org, I'll give it my best shot. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc.s in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.