There are several things you can do to control spool viewing. For starters, review your user profiles to see which users have the special authority of *SPLCTL or *JOBCTL. Both of these special authorities can give a user access to spool files. Only security officers and system operators should have these authorities. In a smaller shop, this might also extend to your programmers but not always. Generally speaking, most users should not be given these authorities unless they absolutely must manage their own print spool files and job controls. As a first step, these authorities should be limited as much as possible, especially the *SPLCTL authority because it is not subject to any restrictions and allows the user access to all spool files on your system.
Output spool files are special objects on your system and are not, per se, created with standard OS security controls. The way you can control security on spool files is through the way your output queues are set up and authorized. If you have output reports with sensitive information, you can control who can see them by the output queue where the report is stored. Output queues are created using the CRTOUTQ (Create Output Queue) command and they can be changed using the CHGOUTQ (Change Output Queue) command. You can view the way and output queue is configured with the WRKOUTQD (Work with Output Queue Description) command.
The user profile that creates the report can always view it and control it. Sensitive reports should be created using a restrictive user profile to prevent widespread use of the spool file. To impose even stricter security, there are several parameters you can set when you create an output queue that will provide more control:
DSPDTA: Helps to protect the contents of spool files be defining who can display, copy, move or send a spool file in the output queue
AUTCHK: Defines what authority is needed to change or delete a spool file
OPRCTL: Defines whether a user profile with *JOBCTL authority can work with spool files in the output queue.
Using these three parameters, you can impose very restrictive access controls to spool files associated with an output queue. There is a good chart in the Security Reference guide that shows how the three parameters work together. If you have never given this concept much thought, you should conduct a thorough review of how your current output queues are set up to make sure that they conform to your company's security policies already in place.
If you have specific questions about this topic, email me at firstname.lastname@example.org. All email messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.