Re: Securing Spool Files

["Gerald Magnuson" <magnuson@xxxxxxxxxxxxx>]

----- Original Message -----
From: John Earl <johnearl@powertechgroup.com>
To: <MIDRANGE-L@midrange.com>
Sent: Wednesday, September 08, 1999 10:49 AM
Subject: Re: Securing Spool Files


> Gerald Magnuson wrote:
>
> > I need to hide the spool files created by the Payroll Clerk,
<snip>

> More than likely it's Special Authorities that are giving your operator
the
> rights to see the payroll spool files.   If your operator has *SPLCTL
special
> authority, they will always be able to see every spool file on the system.
> *SPLCTL is is to spool files as *ALLOBJ is to objects.   If the operator
has
> *SPLCTL, you will have to remove it in order to secure your payroll
outq's.
>
> If the Operator has *JOBCTL special authority, you can secure the spool
files by
> putting them in an OUTQ created with the OPRCTL(*NO) and specifying
regular
> OS/400 authority (*PUBLIC *EXCLUDE) for the OUTQ object.
>
> Depending on how the output queue is used, you may want to also specify
the
> DSPDTA(*NO) and AUTCHK(*OWNER) parameters as well.  Press the F1 key to
see what
> those parameters will do for your security.
>

I have found that it is the special authority *JOBCTL that is giving me
trouble.  I have made
the queue with those attributes as above,  and locking out the queue works
great.
I find that with *JOBCTL authority the operators can WRKJOB (WRKUSRJOB,
WRKACTJOB,,)
and see the spool files.
    I have turned on the system auditing parm *SPLFDATA to capture any
offenses.
Thank you for your help.

Gerald Magnuson


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---