ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalu_5.4.0.1/rzaluspsec.htm

89 lines
5.3 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Spooled file security</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzaluspsec"></a>
<h4 id="rzaluspsec">Spooled file security</h4>
<p>Spooled security is primarily controlled through the output queue that
contains the spooled files. In general, there are four ways that a user can
become authorized to control a spooled file (for example, hold or release
the spooled file): </p>
<ul>
<li>User is assigned spool control authority (SPCAUT(*SPLCTL)) in the user
profile.
<p>This authority gives a user control of all spooled files in the
output queues of all libraries to which the user has *EXECUTE authority. This
authority should only be granted to appropriate users.</p></li>
<li>User is assigned job control authority (SPCAUT(*JOBCTL)) in the user profile,
the output queue is operator-controlled (OPRCTL(*YES)), and the user has *EXECUTE
authority to the library that the output queue is in.</li>
<li>User has the required object authority for the output queue. The required
object authority is specified by the AUTCHK parameter on the CRTOUTQ command.
A value of *OWNER indicates that only the owner of the output queue is authorized
to control all the spooled files on the output queue. A value of *DTAAUT
indicates that users with *CHANGE authority to the output queue are authorized
to control all the spooled files on the output queue.
<a name="wq21"></a>
<div class="notetitle" id="wq21">Note:</div>
<div class="notebody">The
specific authorities required for *DTAAUT are *READ, *ADD, and *DLT data authorities.</div></li>
<li>A user is always allowed to control the spooled files created by that
user.</li></ul>
<p>For the Copy Spooled File (CPYSPLF), Display Spooled File (DSPSPLF), and
Send Network Spooled File (SNDNETSPLF) commands, in addition to the four ways
already listed, there is an additional way a user can be authorized.</p>
<p>If DSPDTA(*YES) was specified when the output queue was created, any user
with *USE authority to the output queue is allowed to copy, display, send,
or move spooled files. The specific authority required is *READ data authority.</p>
<p>If the user is authorized to control the file by one of the four ways already
listed above, using DSPDTA(*NO) when creating the output queue will not restrict
the user from displaying, copying, or sending the file. DSPDTA authority is
only checked if the user is not otherwise authorized to the file.</p>
<p>DSPDTA(*OWNER) is more restrictive than DSPDTA(*NO). If the output queue
is created with DSPDTA(*OWNER), only the owner of the spooled file (the person
who created it) or a user with SPCAUT(*SPLCTL) can display, copy, or send
a file on that queue. Even users with SPCAUT(*JOBCTL) on an operator-controlled
(OPRCTL(*YES)) output queue cannot display, copy, move, or send spooled files
they do not own.</p>
<p>See the <a href="../rzahg/rzahgicsecurity.htm">Security </a> topic for details about the
authority requirements for individual commands.</p>
<p>To place a spooled file on an output queue, one of the following authorities
is required: </p>
<ul>
<li>Spool control authority (SPCAUT(*SPLCTL)) in the user profile. The user
must also have the *EXECUTE authority to the library that the output queue
is in.
<p>This authority gives a user control of all spooled files on the
system and should only be granted to appropriate users. If you have spool
control authority you can delete, move, hold, and release any spooled files
on the system. You can also change the attributes of any spooled file.</p></li>
<li>Job control authority (SPCAUT(*JOBCTL)) in the user profile and the output
queue is operator-controlled (OPRCTL(*YES)). The user must also have the *EXECUTE
authority to the library that the output queue is in.</li>
<li>*READ authority to the output queue. This authority can be given to the
public by specifying AUT(*USE) on the CRTOUTQ command.</li></ul>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>