89 lines
5.3 KiB
HTML
89 lines
5.3 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
|
<head>
|
||
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
|
<!-- US Government Users Restricted Rights -->
|
||
|
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
|
<meta name="security" content="public" />
|
||
|
|
<meta name="Robots" content="index,follow"/>
|
||
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
|
<title>Spooled file security</title>
|
||
|
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
|
</head>
|
||
|
|
<body>
|
||
|
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
|
||
|
|
|
||
|
|
<a name="rzaluspsec"></a>
|
||
|
|
<h4 id="rzaluspsec">Spooled file security</h4>
|
||
|
|
<p>Spooled security is primarily controlled through the output queue that
|
||
|
|
contains the spooled files. In general, there are four ways that a user can
|
||
|
|
become authorized to control a spooled file (for example, hold or release
|
||
|
|
the spooled file): </p>
|
||
|
|
<ul>
|
||
|
|
<li>User is assigned spool control authority (SPCAUT(*SPLCTL)) in the user
|
||
|
|
profile.
|
||
|
|
<p>This authority gives a user control of all spooled files in the
|
||
|
|
output queues of all libraries to which the user has *EXECUTE authority. This
|
||
|
|
authority should only be granted to appropriate users.</p></li>
|
||
|
|
<li>User is assigned job control authority (SPCAUT(*JOBCTL)) in the user profile,
|
||
|
|
the output queue is operator-controlled (OPRCTL(*YES)), and the user has *EXECUTE
|
||
|
|
authority to the library that the output queue is in.</li>
|
||
|
|
<li>User has the required object authority for the output queue. The required
|
||
|
|
object authority is specified by the AUTCHK parameter on the CRTOUTQ command.
|
||
|
|
A value of *OWNER indicates that only the owner of the output queue is authorized
|
||
|
|
to control all the spooled files on the output queue. A value of *DTAAUT
|
||
|
|
indicates that users with *CHANGE authority to the output queue are authorized
|
||
|
|
to control all the spooled files on the output queue.
|
||
|
|
<a name="wq21"></a>
|
||
|
|
<div class="notetitle" id="wq21">Note:</div>
|
||
|
|
<div class="notebody">The
|
||
|
|
specific authorities required for *DTAAUT are *READ, *ADD, and *DLT data authorities.</div></li>
|
||
|
|
<li>A user is always allowed to control the spooled files created by that
|
||
|
|
user.</li></ul>
|
||
|
|
<p>For the Copy Spooled File (CPYSPLF), Display Spooled File (DSPSPLF), and
|
||
|
|
Send Network Spooled File (SNDNETSPLF) commands, in addition to the four ways
|
||
|
|
already listed, there is an additional way a user can be authorized.</p>
|
||
|
|
<p>If DSPDTA(*YES) was specified when the output queue was created, any user
|
||
|
|
with *USE authority to the output queue is allowed to copy, display, send,
|
||
|
|
or move spooled files. The specific authority required is *READ data authority.</p>
|
||
|
|
<p>If the user is authorized to control the file by one of the four ways already
|
||
|
|
listed above, using DSPDTA(*NO) when creating the output queue will not restrict
|
||
|
|
the user from displaying, copying, or sending the file. DSPDTA authority is
|
||
|
|
only checked if the user is not otherwise authorized to the file.</p>
|
||
|
|
<p>DSPDTA(*OWNER) is more restrictive than DSPDTA(*NO). If the output queue
|
||
|
|
is created with DSPDTA(*OWNER), only the owner of the spooled file (the person
|
||
|
|
who created it) or a user with SPCAUT(*SPLCTL) can display, copy, or send
|
||
|
|
a file on that queue. Even users with SPCAUT(*JOBCTL) on an operator-controlled
|
||
|
|
(OPRCTL(*YES)) output queue cannot display, copy, move, or send spooled files
|
||
|
|
they do not own.</p>
|
||
|
|
<p>See the <a href="../rzahg/rzahgicsecurity.htm">Security </a> topic for details about the
|
||
|
|
authority requirements for individual commands.</p>
|
||
|
|
<p>To place a spooled file on an output queue, one of the following authorities
|
||
|
|
is required: </p>
|
||
|
|
<ul>
|
||
|
|
<li>Spool control authority (SPCAUT(*SPLCTL)) in the user profile. The user
|
||
|
|
must also have the *EXECUTE authority to the library that the output queue
|
||
|
|
is in.
|
||
|
|
<p>This authority gives a user control of all spooled files on the
|
||
|
|
system and should only be granted to appropriate users. If you have spool
|
||
|
|
control authority you can delete, move, hold, and release any spooled files
|
||
|
|
on the system. You can also change the attributes of any spooled file.</p></li>
|
||
|
|
<li>Job control authority (SPCAUT(*JOBCTL)) in the user profile and the output
|
||
|
|
queue is operator-controlled (OPRCTL(*YES)). The user must also have the *EXECUTE
|
||
|
|
authority to the library that the output queue is in.</li>
|
||
|
|
<li>*READ authority to the output queue. This authority can be given to the
|
||
|
|
public by specifying AUT(*USE) on the CRTOUTQ command.</li></ul>
|
||
|
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
|
</body>
|
||
|
|
</html>
|