AS/400 Security

Securing Printers and Spooled Files

Introduction

ne of the more complex aspects of security on the AS/400 is that of securing spooled files. Spooled files do not conform to the standard methods of securing objects, since spooled files are stored as members of data files in the library QSPL.

More and more, end-users are being given control over their own AS/400 printouts and printers. They often start printers, hold and release spooled files, or move spooled files from one output queue to another. This can lead to problems when end-users answer messages for system printers, or when they hold, release or view spooled files belonging to other users.

This article reduces the need to completely understand all aspects of spooled file security. It gives one specific configuration example that applies to many OS/400 implementations. It consists of a system printer, a general user-controlled printer, and a private/secured printer. This example can be used as a guide to configure your own printer and spooled file security.

Authority lists and group profiles may be used instead of the specific user authorities shown in this article. In order to keep everything as simple as possible, the configuration of the authority lists and group profiles are not discussed here.

Configuration

User Profiles:
QSYSOPR - The system operator(s) should have Job Control (*JOBCTL) to access most output queues.
USR01 - User with a PC equipped with a printer or requiring control access to a specific printer.
PAY01 - Payroll user with full control over a payroll printer.

Notes:
No users, other than the system operator (QSYSOPR), should have Job Control (*JOBCTL) special authority. Remember: Unless otherwise specified, programmers have job control authority. This authority enables them to control (any) job priorities, jobs owned by other users, and spooled files on output queues under operator control (OPRCTL parameter). User profile "Spool Control" (*SPLCTL) special authority should be restricted to security officer(s). With this authority, a user can view and control all spooled files on all output queues regardless of security. This article assumes that the AS/400 is operating at security level 30 or above, and that user profile "All Object" (*ALLOBJ) special authority is restricted to security officer(s) only. This authority gives users full access to control spooled files on all output queues, and the ability to control printers.

1. System Printer (SYSPRT) Configuration
This printer is to be controlled by the system operator only. Any user can use the printer (in other words, send spooled files to the associated output queue), but the queue and printer remains under control of the operator. Users can only view and control their own spooled files.

Output Queue:

CRTOUTQ OUTQ(SYSPRT) + 
DSPDTA(*NO) OPRCTL(*YES) + 
AUTCHK(*DTAAUT) 
EDTOBJAUT SYSPRT *OUTQ
User       Authority 
QSYS       *ALL
QSPL       *USE
*PUBLIC    *USE

Printer Device Description:

EDTOBJAUT SYSPRT *DEVD
User       Authority 
QSYS       *ALL
QSPL       *USE
QSYSOPR    *USE
*PUBLIC    *EXCLUDE

CHGDEVPRT DEVD(SYSPRT) +
MSGQ(QSYSOPR)

Message Queue:

EDTOBJAUT QSYSOPR *MSGQ
User       Authority 
QSYSOPR     *ALL
QPGMR       *CHANGE  (optional)
*PUBLIC     *OBJOPR  *READ *ADD

Only programmers and operators will be able to answer system operator messages.

2. User Printer (USRPRT) Configuration
This printer is controlled by user USR01 and the system operator only. Any user can use of printer (in other words, send spooled files to associated output queue). Users can only view and control their own spooled files.

Output Queue:

CRTOUTQ OUTQ(USRPRT) + 
DSPDTA(*NO) OPRCTL(*YES) + 
AUTCHK(*DTAAUT)  
EDTOBJAUT USRPRT *OUTQ
User       Authority 
QSYS        *ALL
QSPL        *USE
USR01       *CHANGE
*PUBLIC     *USE

Printer Device Description:

EDTOBJAUT USRPRT *DEVD
User       Authority 
QSYS        *ALL
QSPL        *USE
QSYSOPR     *USE
USR01       *USE
*PUBLIC     *EXCLUDE

CHGDEVPRT DEVD(USRPRT) + 
MSGQ(USR01)

Message Queue:

EDTOBJAUT USR01 *MSGQ
User       Authority 
USR01       *ALL
QSYSOPR     *CHANGE
*PUBLIC     *OBJOPR  *ADD

3. Payroll Printer (PAYPRT) Configuration
This printer is restricted to the payroll user PAY01 only. Not even the system operator can control, view, or in any way use the printer or associated output queue. User profiles with *ALLOBJ or *SPLCTL special authority will override this and have complete access to the queue and printer.

Output Queue:

CHGOUTQ OUTQ(PAYPRT) + 
DSPDTA(*NO) OPRCTL(*NO) + 
AUTCHK(*DTAAUT)  
EDTOBJAUT PAYPRT *OUTQ
User       Authority 
QSYS        *ALL
QSPL        *USE
PAY01       *CHANGE
*PUBLIC     *EXCLUDE

Device Description:

EDTOBJAUT PAYPRT *DEVD
User       Authority 
QSYS        *ALL
QSPL        *USE
PAY01       *USE
*PUBLIC     *EXCLUDE

CHGDEVPRT DEVD(PAYPRT) + MSGQ(PAY01)

Message Queue:

EDTOBJAUT PAY01 *MSGQ
User       Authority 
PAY01       *ALL
*PUBLIC     *OBJOPR  *ADD

4. General Output Queue (GEN) Configuration
This queue is optional, and is not attached to a printer. It can be used by all users, including programmers, to hold spooled files that may not need to be printed. If a spooled file needs to be printed, the user need only move it to the appropriate printer- associated output queue.

Users may need access to the "Work with Spooled Files" command (WRKSPLF) to move spooled files. The queue can be controlled by the system operator only. Users can only view and control their own spooled files.

Output Queue:

CRTOUTQ OUTQ(GEN) + 
DSPDTA(*NO) OPRCTL(*YES) + 
AUTCHK(*DTAAUT)  
EDTOBJAUT GEN *OUTQ
User       Authority 
QSYS        *ALL
QSPL        *USE
*PUBLIC     *USE

Conclusion

Using the above example as a guide, you can quickly secure your AS/400 spooled files and printers. Be sure to test your implementation on a single printer/output queue first, then add other objects over time. T < G