• Subject: Re: Protection for spool files?
  • From: John Earl <johnearl@xxxxxxxxxx>
  • Date: Mon, 26 Jan 1998 10:07:42 -0800

At 10:35 AM 1/20/98 -0500, you wrote:
>My operator recently had the following problem:
>A user deleted our water & sewer bills in an attempt to get rid of one of
their print jobs. Is there a way to allow user to be "empowered" yet protect
our important jobs?

I havn't found a way to give users authority to control printers and yet not
enough authority to delete spool files.  The problem is that once a printer
prints a file, the file is deleted from the outq.  This implies that anyone
who can print a file has the ability to delete it.

Additionally, one of the rules of spool files is that a user that creates a
spool file will always have authority to delete that spool file.  This is
true even if the spool file is put into an outq to which the user has
*EXCLUDE authority (They can use commands like WRKJOB and WRKSPLF to hammer
it).  Ownership of a spool file confers *ALL authority to that file.

The only ways I've found to prevent inadvertant deletes are

A) Duplicate the spool file into a safe place either through the use of the
DTAQ support and SNDNETSPLF, or through some utility that copies the spool
file to a database file such as the TAATOOL DSPSPLCTL.  In order for the
spool file to be safe you must perfrom the duplication with a "production
profile" (as opposed to some user's profile) and the 'to' out queue must be
secured against public access.


B) Write a validity checker program for the DLTSPLF command that specifies
that only user X can delete spoolfile Y.  Or only user X can delete spool
files from outq Z.  However, this merely inhibits well intentioned users
because it does not prevent other deleting acvtivities such as CLROUTQ, etc.




John Earl       Lighthouse Software Inc.
8514 71st NW    Gig Harbor, WA 98335
253-858-7388    johnearl@lns400.com

Without Lighthouse Network Security/400, your AS/400 is wide open.

| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].