More About Controlling Access to Spool Files

By Rich Loeber

In my last tip, I talked about controlling access to spool files through implementation of IBM i OS object authority at the output queue level. In this tip, I'll be taking a look at three additional parameters that are associated with IBM i output queues that can extend the level of control you have over sensitive reports on your system.

The three parameters in question are:

• Display any file (DSPAUT)
• Operator controlled (OPRCTL)
• Authority to check (AUTCHK)

These three work to give you more control over access to spool files beyond what is available through object level controls on the output queue.

One thing to keep in mind is the proliferation of user profiles with special authority of *SPLCTL. This is the equivalent of the evil *ALLOBJ authority, but as applied to spool files. You should restrict granting of *SPLCTL to only those user profiles where it is absolutely required. As you read on in this tip, remember that if a user profile has *SPLCTL authority, then they can cut through these restrictions as they will not apply (with one exception as noted).

"Display any file" (DSPDTA) is intended to protect the contents of a spool file by setting authority requirements. There are three values available, *YES, *NO and *OWNER. Each of these provides progressively increased levels of authority requirements to view, copy or send spool files in the output queue. *YES allows anyone with READ authority to work with files in the output queue. *NO restricts that to the owner, those with *CHANGE authority and those with *SPLCTL special authority. *OWNER further limits this to just the owner profile and any profile with *SPLCTL authority.

"Operator controlled" (OPRCTL) controls whether or not a user with *SPLCTL special authority is allowed open access to this output queue. The default value on the Create Output Queue (CRTOUTQ) command in the IBM i OS is *YES which is why most output queues are open season for users with *SPLCTL authority. Changing this value to *NO will force normal object authority rules to control access to the output queue. If you have an output queue with sensitive information stored and you are concerned about *SPLCTL users gaining access, this is the key parameter value that can save the day for you.

"Authority to check" (AUTCHK) controls how users with *CHANGE authority to the output queue will be given access to change, delete or copy spool files in the queue. When this is set to *OWNER, only the owner profile of the spool file can change or delete spool files. Using the value of *DTAAUT changes this control so that it looks at object level controls for the output queue.

Using these parameters intelligently can give you much added control over how users access (or don't access) spool files on your system. Using them in combination can be a little confusing, but if you look in your IBM i OS Security Reference manual under the Work Management section on Securing Spool Files, you will find a full page chart for this set of parameters and how they can be used in combination to achieve your specific objectives.

If you have any specific questions about this topic, you can reach me at rich at kisco.com, I'll try to answer your questions. All email messages will be answered.