Spooled file security

Spooled security is primarily controlled through the output queue that contains the spooled files.

In general, there are five ways that a user can become authorized to control a spooled file (for example, hold or release the spooled file):

  • User is assigned spool control authority (SPCAUT(*SPLCTL)) in the user profile.

    This authority gives a user control of all spooled files in the output queues of all libraries to which the user has *EXECUTE authority. Only grant this authority to appropriate users.

  • User is assigned job control authority (SPCAUT(*JOBCTL)) in the user profile, the output queue is operator-controlled (OPRCTL(*YES)), and the user has *EXECUTE authority to the library that the output queue is in.
  • User is granted authority by the use of a spooled file security exit program. A spooled file security exit program can be registered for the QIBM_QSP_SECURITY exit point to allow more granular access to individual spooled files and to control access/operations to a spooled file for any user. A user can be granted or denied access to any spooled file for one or several operations. For more information about how to use a spooled file security registered exit program, see the Spooled File Security Exit Program topic.
  • User has the required object authority for the output queue. The required object authority is specified by the AUTCHK parameter on the CRTOUTQ command. A value of *OWNER indicates that only the owner of the output queue is authorized to control all the spooled files on the output queue. A value of *DTAAUT indicates that users with *CHANGE authority to the output queue are authorized to control all the spooled files on the output queue. The use of a spooled file security exit program can override this object authority and stop the user from controlling the spooled file.
    Note: The specific authorities required for *DTAAUT are *READ, *ADD, and *DLT data authorities.
  • A user is always allowed to control the spooled files created by that user unless not allowed by a spooled file security exit program.

For the Copy Spooled File (CPYSPLF), Display Spooled File (DSPSPLF), and Send Network Spooled File (SNDNETSPLF) commands, in addition to the five ways already listed, there is an additional way a user can be authorized.

If DSPDTA(*YES) was specified when the output queue was created, any user with *USE authority to the output queue is allowed to copy, display, send, or move spooled files assuming that the user is not stopped by the use of a spooled file security exit program. The specific authority required is *READ data authority.

If the user is authorized to control the file by one of the five ways already listed previously, using DSPDTA(*NO) when creating the output queue will not restrict the user from displaying, copying, or sending the file. DSPDTA authority is only checked if the user is not otherwise authorized to the file.

DSPDTA(*OWNER) is more restrictive than DSPDTA(*NO). If the output queue is created with DSPDTA(*OWNER), only the owner of the spooled file (the person who created it), a user with SPCAUT(*SPLCTL), or a user granted access by the use of a spooled file security exit program can display, copy, or send a file on that queue. Even users with SPCAUT(*JOBCTL) on an operator-controlled (OPRCTL(*YES)) output queue cannot display, copy, move, or send spooled files they do not own.

See the Security topic for details about the authority requirements for individual commands.

To place a spooled file on an output queue, one of the following authorities is required:

  • Spool control authority (SPCAUT(*SPLCTL)) in the user profile. The user must also have *EXECUTE authority to the library that the output queue is in.

    This authority gives a user control of all spooled files on the system and should only be granted to appropriate users. If you have spool control authority you can delete, move, hold, and release any spooled files on the system. You can also change the attributes of any spooled file.

  • Job control authority (SPCAUT(*JOBCTL)) in the user profile and the output queue is operator-controlled (OPRCTL(*YES)). The user must also have *EXECUTE authority to the library that the output queue is in.
  • *READ authority to the output queue. This authority can be given to the public by specifying AUT(*USE) on the CRTOUTQ command.