Security is an important consideration regardless of the size of your installation. Each month, this column addresses your questions and concerns. To submit an inquiry, use the MC-BBS at (619) 931-9909 or fax me directly at (507) 252-9615. Then, look for your answer in future columns.
The questions and answers in this month's column all deal with spooled files. It is important that you observe the following caveat. Warning: A user with Spool Control (*SPLCTL) special authority is not limited by any restrictions associated with output queues. *SPLCTL special authority allows the user to perform all operations on all output queues. Limit the number of users that have *SPLCTL special authority if you want to secure output queues.
Wayne O. Evans, Chief of Security
Q:My system supports three types of printed output.
o General Output. No restrictions on who can view the printout. o Limited Viewing. Data that can be viewed by a group of users in the sales analysis area but should not be generally available. o Sensitive Output. Payroll information that can be accessed by only the individual responsible for printing payroll.
How can I allow access to some output while limiting the users from gaining access to sensitive output which is waiting to print?
A:You cannot directly grant and revoke authority to view and manipulate a spooled file. The authority to a spooled file is controlled by the parameters on the output queue that holds the spooled file. Unless you control the security of output queues on your system, unauthorized users can display, print-and even copy-sensitive information that is waiting to print.
However, there is a method for protecting confidential output-create a special output queue. You can then send confidential output to that queue and control who can view and manipulate the spooled files on the output queue by authority to the output queue.
The security parameters for an output queue are specified using the Create Output Queue (CRTOUTQ) command or the Change Output Queue (CHGOUTQ) command. The three parameters on the output queue that control security are Display Data (DSPDTA), Authority to Check (AUTCHK) and Operator- controlled Check (OPRCTL). Figures 1, 2 and 3 list the possible values (with defaults underlined) for the DSPDTA, AUTCHK and OPRCTL parameters, respectively. The IBM reference manual explains these parameters in detail; but since they are somewhat complex, it is best to look at an example.
Let's examine the three output queues with different attributes. These examples can be used as a model for your output queues.
1. General-purpose output queue. All users are allowed to display all spooled files. The system operators are allowed to manage the queue and change spooled files.
CRTOUTQ OUTQ(QGPL/SHARED) + DSPDTA(*YES) + AUTCHK(*DTAAUT) + OPRCTL(*YES) + AUT(*USE)
2. Access limited to application area. Only members of the sales analysis area that have a group profile of GRPSALES are allowed to use the output queue. Only sales analysis users of the output queue are allowed to display all spooled files. System operators are not allowed to work with the output queue.
CRTOUTQ OUTQ(SALESLIB/SALES+ OUTQ) DSPDTA(*YES) + AUTCHK(*DTAAUT) + OPRCTL(*NO) + AUT(*EXCLUDE) GRTOBJAUT OBJ(SALESLIB/SALES + OUTQ) OBJTYP(*OUTQ) + USER(GRPSALES) + AUT(*CHANGE)
Note: If the SALESOUTQ were owned by the group profile GRPSALES, then this Grant Object Authority (GRTOBJAUT) command would not be required.
3. Confidential output queue. This output queue is shared by users printing confidential files and documents. Users can work with their own spooled files only. System operators can work with the spooled files, but they cannot display the contents of the files.
CRTOUTQ OUTQ(PAYROLL/PAYOUTQ) + DSPDTA(*OWNER) + AUTCHK(*OWNER) + OPRCTL(*YES) + AUT(*USE)
Q:Does this mean that if I put data on a sensitive output queue I cannot access the data?
A:When you create a spooled file, you are the owner of that file. You can always view and manipulate any spooled files you own, regardless of how the authority for the output queue is defined. You must have *READ authority to add new entries to an output queue. If your authority to an output queue is removed, you can still access any entries you own on that queue using the Work with Spooled Files (WRKSPLF) command.
For audit purposes, some installations attempt to store the job log in a restricted output queue. This is not effective because the user can still use WRKSPLF to delete the job log from a previous session.
Q:I want to give menu-mandatory users a menu option that allows them to view only the spooled files they have created. I do not want users to access the spooled files of other users. I have created a menu option that runs WRKSPLF, limiting output to the current user.
WRKSPLF USER(*CURRENT)
This provides users with a list of their spooled files as I intended. Some users have discovered that function key F22 allows them the capability to access the spooled files of other users.
Is there a way to restrict the use of function key F22 from the WRKSPLF screen? I would rather not write a complex program to replace the function of the IBM panel just to prevent a misuse of function key F22.
A:Good news! You are almost there, with no programming changes required. You have a good start.
o The menu-mandatory users have a user profile attribute, LMTCPB(*YES), that prevents the users from entering commands on the command line displayed on most IBM panels. This limits the user to selecting menu options and not entering commands directly.
o You have created a menu option for users that allows them to view their spooled files.
The problem is that the IBM WRKSPLF panel (4) supports function key F22, which allows access to the output of other users.
The problem is that the IBM WRKSPLF panel (Figure 4) supports function key F22, which allows access to the output of other users.
You can restrict function key F22 if you understand how IBM implemented the WRKSPLF panel. Function key F22 uses the Work with Writers (WRKWTR) command to display the output queue for all printers. If you restrict the user's access to the WRKWTR command, the function key cannot be used and the option does not appear on the user's menu.
The command to restrict access to the WRKWTR command is:
GRTOBJAUT OBJ(QSYS/WRKWTR) + OBJTYP(*CMD) + USER(*PUBLIC) + AUT(*EXCLUDE)
You will need to grant access to the users who are allowed the function, using this command:
GRTOBJAUT OBJ(QSYS/WRKWTR) + OBJTYP(*CMD) + USER(user_profile) + AUT(*USE)
The restriction of authority is only effective if you are running with object- level security. (QSECURITY must be 30 or 40.)
Security Patrol: Security Questions & Answers
Figure 1 Options on the DSPDTA Parameter
*NO A user cannot display, send or copy spooled files owned by other users, unless the user has one of the following: o *JOBCTL special authority, if the *OPRCTL parameter is *YES. o *CHANGE authority to the output queue, if the *AUTCHK parameter is *DTAAUT. o *ALL authority to the output queue. *YES Any user with *READ authority to the output queue can display, copy or send the data of any spooled file on the queue. *OWNER Only the owner of a spooled file can display, copy, send or move the file. If the OPRCTL value is *YES, users with *JOBCTL special authority can hold, change, delete and release spooled files on the output queue, but they cannot display, copy, send or move the spooled files. This allows operators to manage entries on an output queue without being able to view the contents.
Security Patrol: Security Questions & Answers
Figure 2 Options on the AUTCHK Parameter
*OWNER Only a user with *ALL authority to the output queue can change or delete any spooled file. *DTAAUT Specifies that any user with *READ, *ADD and *DLT authority to the output queue can change or delete any spooled file on the queue.
Security Patrol: Security Questions & Answers
Figure 3 Options on the OPRCTL Parameter
The OPRCTL parameter determines access of users with *JOBCTL. *YES A user with *JOBCTL special authority can perform all functions on the spooled files, unless the DSPDTA value is *OWNER. If the DSPDTA value is *OWNER, *JOBCTL special authority does not allow the user to display, copy, send or move spooled files. *NO *JOBCTL special authority does not give the user any authority to perform operations on the output queue. Normal authority rules apply to the user.
Security Patrol: Security Questions & Answers
Figure 4 WRKSPLF Screen
Work with All Spooled Files Type options, press Enter. 1=Send 2=Change 3=Hold 4=Delete 5=Display 6=Release 7=Messages 8=Attributes 9=Work with printing status Device or Total Cur Opt File User Queue User Data Sts Pages Page Copy XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXX X X X XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXX X X X XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXX X X F22 CAN SHOW FILES OF OTHER Parameters for options 1, 2, 3 or command USERS ===> F3=Exit F10=View 3 F11=View 2 F12=Cancel F22=Printers F24=More keys
LATEST COMMENTS
MC Press Online