• Subject: Re: Protection for spool files?
  • From: John Earl <johnearl@xxxxxxxxxx>
  • Date: Mon, 26 Jan 1998 10:07:42 -0800

At 10:35 AM 1/20/98 -0500, you wrote:
>My operator recently had the following problem:
>
>A user deleted our water & sewer bills in an attempt to get rid of one of
their print jobs. Is there a way to allow user to be "empowered" yet protect
our important jobs?
>

I havn't found a way to give users authority to control printers and yet not
enough authority to delete spool files.  The problem is that once a printer
prints a file, the file is deleted from the outq.  This implies that anyone
who can print a file has the ability to delete it.

Additionally, one of the rules of spool files is that a user that creates a
spool file will always have authority to delete that spool file.  This is
true even if the spool file is put into an outq to which the user has
*EXCLUDE authority (They can use commands like WRKJOB and WRKSPLF to hammer
it).  Ownership of a spool file confers *ALL authority to that file.

The only ways I've found to prevent inadvertant deletes are

A) Duplicate the spool file into a safe place either through the use of the
DTAQ support and SNDNETSPLF, or through some utility that copies the spool
file to a database file such as the TAATOOL DSPSPLCTL.  In order for the
spool file to be safe you must perfrom the duplication with a "production
profile" (as opposed to some user's profile) and the 'to' out queue must be
secured against public access.

OR

B) Write a validity checker program for the DLTSPLF command that specifies
that only user X can delete spoolfile Y.  Or only user X can delete spool
files from outq Z.  However, this merely inhibits well intentioned users
because it does not prevent other deleting acvtivities such as CLROUTQ, etc.


hth,


jte


--

John Earl       Lighthouse Software Inc.
8514 71st NW    Gig Harbor, WA 98335
253-858-7388    johnearl@lns400.com

Without Lighthouse Network Security/400, your AS/400 is wide open.

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].