IBM Support

Securing an Output Queue

Troubleshooting


Problem

This document provides information about securing an output queue so that only some users can view it, move or print spooled files, and so on.

Resolving The Problem

How do I secure an output queue so that only some users can view it, move or print spooled files, and so on?

Answer:

An output can be designated so that some users may not use it at all, some users may view or change only their own spooled files, that is, spooled files they created, and some users may view or change anything in the output queue.
 
Caution: Any user with *SPLCTL or *ALLOBJ special authority in the user profile can view any spooled file on the system regardless of any other measures taken to secure the output queue.

In the following example, assume that the name of the output queue being secured is MYOUTQ.
1. On the operating system command line, type the following:

CHGOUTQ OUTQ(MYOUTQ) DSPDTA(*NO) OPRCTL(*NO) AUTCHK(*DTAAUT)

Press the Enter key.

Note: If you prefer to use CHGOUTQ and prompt with F4, then:

DSPDTA is Display any file.
OPRCTL is Operator controlled.
AUTCHK is Authority to check.
*DTAAUT means that authority to spooled files in the output queue is determined by authority to the output queue object itself.
2. On the operating system command line, type the following:

WRKOBJ MYOUTQ

Press the Enter key. You will see something similar to the following:

Opt   Object   Type     Library     Attribute   Text    
__    MYOUTQ  *DEVD     QSYS        PRTLCL
__    MYOUTQ  *OUTQ     QUSRSYS
__    MYOUTQ  *MSGQ     QGPL

Type 2 next to the object of type *OUTQ to edit authority. You will see something similar to the following:

                Object  
User        Group Authority
LUCY           *CHANGE      
QSPL           *CHANGE  
SAM            *USE      
*PUBLIC        *EXCLUDE


Users with authority of *CHANGE, such as Lucy, can view, print, change, delete, and so on, any item in the output queue, regardless of whether they created it themselves.

Users with authority of *USE, such as Sam, can view, print, change, delete, and so on, only items in the output queue that they created themselves.

Users with authority of *EXCLUDE, such as *PUBLIC, cannot view, print, change, delete, and so on, anything on the output queue. They cannot create anything on the output queue and cannot move anything into the output queue.

Any user not specifically designated (that is, any user who has no private authority) fall under the authority of *PUBLIC. Since the majority of users are normally kept out of a sensitive output queue, the authority for *PUBLIC is usually *EXCLUDE on a secured output queue.

To add additional users to the list of those with authority to the output queue, press F6. You will see something similar to the following:
Object
User Authority
_______________ ______________

Add users with authorities as specified above; for example, *CHANGE means the user has all authority to all spooled files in the output queue, *USE means the user has authority only to spooled files he/she created, and so on.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0"}]

Historical Number

8001115

Document Information

Modified date:
16 September 2020

UID

nas8N1010254