Troubleshooting
Problem
This document explains how to secure spooled files.
Resolving The Problem
A spooled file is a special type of object on the system. You cannot directly grant and revoke authority to view and manipulate a spooled file. The authority to a spooled file is controlled by several parameters on the output queue that holds the spooled file.
When you create a spooled file, you are the owner of that file. You can always view and manipulate any spooled files you own, regardless of how the authority for the output queue is defined. You must have *READ authority to add new entries to an output queue. If your authority to an output queue is removed, you can still access any entries you own on that queue using the Work with Spooled Files (WRKSPLF) command.
The security parameters for an output queue are specified using the Create Output Queue (CRTOUTQ) command or the Change Output Queue (CHGOUTQ) command. You can display the security parameters for an output queue using the Work with Output Description (WRKOUTQD) command.
Display Data (DSPDTA) Parameter of Output Queue
The DSPDTA parameter is designed to protect the contents of a spooled file. It determines what authority is required to perform the following functions on spooled files owned by other users:
The possible values for DSPDTA include:
Authority to Check (AUTCHK) Parameter of Output Queue
The AUTCHK parameter determines if *CHANGE authority to the output queue allows a user to change and delete spooled files owned by other users.
The possible values for AUTCHK include:
Operator Control (OPRCTL) Parameter of Output Queue
The OPRCTL parameter determines if a user with *JOBCTL special authority can control the output queue.
The possible values for OPRCTL include:
When you create a spooled file, you are the owner of that file. You can always view and manipulate any spooled files you own, regardless of how the authority for the output queue is defined. You must have *READ authority to add new entries to an output queue. If your authority to an output queue is removed, you can still access any entries you own on that queue using the Work with Spooled Files (WRKSPLF) command.
The security parameters for an output queue are specified using the Create Output Queue (CRTOUTQ) command or the Change Output Queue (CHGOUTQ) command. You can display the security parameters for an output queue using the Work with Output Description (WRKOUTQD) command.
| Caution: A user with *SPLCTL or *ALLOBJ special authority can perform all functions on all entries, regardless of how the output queue is defined. Some parameters on the output queue allow a user with *JOBCTL special authority to view the contents of entries on the output queue. |
Display Data (DSPDTA) Parameter of Output Queue
The DSPDTA parameter is designed to protect the contents of a spooled file. It determines what authority is required to perform the following functions on spooled files owned by other users:
| o | View the contents of a spooled file (DSPSPLF command) |
| o | Copy a spooled file (CPYSPLF command) |
| o | Send a spooled file (SNDNETSPLF command) |
| o | Move a spooled file to another output queue (CHGSPLFA command) |
| *NO | A user cannot display, send, or copy spooled files owned by other users unless the user has one of the following: -- *JOBCTL special authority if the OPRCTL parameter is *YES. -- *CHANGE authority to the output queue if *AUTCHK parameter is *DTAAUT. -- Ownership of the output queue if the *AUTCHK parameter is *OWNER. |
| *YES | Any user with *READ authority to the output queue can display, copy, or send the data of spooled files owned by others. |
| *OWNER | Only the owner of a spooled file can display, copy, send, or move the file. If the OPRCTL value is *YES, users with *JOBCTL special authority can hold, change, delete, and release spooled files on the output queue, but they cannot display, copy, send, or move the spooled files. This is intended to allow operators to manage entries on an output queue without being able to view the contents. |
The AUTCHK parameter determines if *CHANGE authority to the output queue allows a user to change and delete spooled files owned by other users.
The possible values for AUTCHK include:
| *OWNER | Only the user who owns the output queue can change or delete spooled files owned by others. |
| *DTAAUT | Specifies that any user with *READ, *ADD, and *DLT authority to the output queue can change or delete spooled files owned by others. |
The OPRCTL parameter determines if a user with *JOBCTL special authority can control the output queue.
The possible values for OPRCTL include:
| *YES | A user with *JOBCTL special authority can perform all functions on the spooled files, unless the DSPDTA value is *OWNER. If the DSPDTA value is *OWNER, *JOBCTL special authority does not allow the user to display, copy, send, or move spooled files. |
| *NO | *JOBCTL special authority does not give the user authority to perform operations on the output queue. Normal authority rules apply to the user. |
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0"}]
Historical Number
4291413
Was this topic helpful?
Document Information
Modified date:
16 September 2020
UID
nas8N1014727