RPGIV @ Work

A unique site for RPG and System i Lovers


Hi, this site will provide all what you need in System i and RPG developments.

My Name is Chamara Withanachchi, System i Expert and RPG Developer. And in the field for last 11 years.

I hope you will find lot of valuable information from this site

Controlling access to spool files Print E-mail
User Rating: / 1
Written by Chamara Withanachchi   
Controlling access to spool files

By : Rich Loeber

A nice feature of OS/400 is it enables you to view the contents of spool files before they have been printed or distributed electronically. For a lot of users, that saves time and paper. But not all spool files should be able to be viewed by every user. This tip takes a look at some ways to control who is allowed to see which spool files on your system.

Print spool files are special objects on your system that are stored in the QSPL library. You cannot control access at the spool file level on your OS/400 system. Access to the spool files must be controlled through the output queue that is associated with each spool file.

If you have sensitive or confidential information stored in a print spool file, the best way to secure it is to create a special output queue (or set of output queues) that are secure to a known set of users. Directing the spool file into the right output queue can sometimes be tricky. OS/400 generally checks the following sequence of things to direct the output from a job:

  • the printer file
  • job attributes
  • user profile
  • workstation device description
  • system print device (QPRTDEV) system value

To direct your sensitive output to the right output queue, your best bet is to specify it in the printer file being used by your application.

Output queues can be created in any library on your system. Output queues for printer devices generally get created in the QUSRSYS library, but you are not limited by that. To improve security, create your secure output queue in a separate library that has limited access at the library level.

Once the output queue has been created, you can then limit access to it using the Grant Object Authority (GRTOBJAUT) command and Edit Object Authority (EDTOBJAUT) command. To specifically limit general access to the output queue, the PUBLIC setting for the *OUTQ object must be set to *EXCLUDE. Then, in the individual user authorities, you can provide access for specific user profiles or group profiles.

You should also note that user profiles with the special authority of *SPLCTL will be able to view and work with spool files regardless of their access control limitations to your secure output queue. This is a form of all object authority, but applied to only spool files. You should limit the number of profiles on your system that have the *SPLCTL authority in order to maintain the security of your sensitive output queues.

The output queue also has a special setting called the "Display Data" (DSPDTA) parameter that can be used to control viewing spool files. When you set it to *NO, only the spool file owner profile can view the contents of the spool files in the output queue. You can check the value of this parameter using the Work with Output Queue Description (WRKOUTQD) command to see how it is set up for your secure output queue.

<Previous   Next>