IBM Support

Auditing Spool Control Special Authority - *SPLCTL

How To


Summary

This document provides guidance on auditing users with the *SPLCTL (Spool Control) special authority on IBM i systems. The SQL query below identifies users who have *SPLCTL special authority either directly or through group membership and correlates their activity with spooled file operations recorded in the audit journal. This approach helps administrators monitor and control access to spooled files, which can contain sensitive output from applications and system processes.

Objective

To analyze Spool File Activity for users that have *SPLCTL special authority. 

Environment

This SQL is supported only on IBM i release R750 and above.

Steps

Step 1: Using the Run SQL Scripts tool, run the following SQL Statement:
WITH DIRECT_SPLCTL AS (
         SELECT AUTHORIZATION_NAME
             FROM QSYS2.USER_INFO_BASIC
             WHERE SPECIAL_AUTHORITIES LIKE '%SPLCTL%'
     ),
     GROUP_SPLCTL AS (
         SELECT DISTINCT GPE.USER_PROFILE_NAME AS AUTHORIZATION_NAME
             FROM QSYS2.GROUP_PROFILE_ENTRIES GPE
                  JOIN QSYS2.USER_INFO_BASIC GP
                      ON GPE.GROUP_PROFILE_NAME = GP.AUTHORIZATION_NAME
             WHERE GP.SPECIAL_AUTHORITIES LIKE '%SPLCTL%'
     ),
     SPLCTL_USERS AS (
         SELECT AUTHORIZATION_NAME
             FROM DIRECT_SPLCTL
         UNION
         SELECT AUTHORIZATION_NAME
             FROM GROUP_SPLCTL
     )
    SELECT A.ENTRY_TIMESTAMP,
           A.JOB_NAME,
           A.JOB_USER,
           A.JOB_NUMBER,
           A.ENTRY_TYPE,
           A.ENTRY_TYPE_DETAIL,
           A.SPOOLED_FILE_NAME,
           A.OUTPUT_QUEUE
        FROM TABLE (
                 SYSTOOLS.AUDIT_JOURNAL_SF(STARTING_TIMESTAMP => '2025-07-02 00:00:01', 
                 ENDING_TIMESTAMP => '2025-07-02 13:34:00') -- Specify the time period
             ) AS A
             JOIN SPLCTL_USERS U
                 ON A.USER_NAME = U.AUTHORIZATION_NAME
        ORDER BY A.ENTRY_TIMESTAMP
image-20250709083557-1
NOTES:
 
  1. The SQL only includes spool file operations for user profiles that have *SPLCTL special authority via their user profile and/or via their Group profile. 
  2. This SQL is supported only on IBM i release R750 and above.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"TS019369324","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.5.0;7.6.0"}]

Document Information

Modified date:
09 July 2025

UID

ibm17239278

Page Feedback