Spooled file security

Spooled security is primarily controlled through the output queue that contains the spooled files. In general, there are four ways that a user can become authorized to control a spooled file (for example, hold or release the spooled file):

• User is assigned spool control authority (SPCAUT(*SPLCTL)) in the user profile.

  This authority gives a user control of all spooled files in the output queues of all libraries to which the user has *EXECUTE authority. This authority should only be granted to appropriate users.

• User is assigned job control authority (SPCAUT(*JOBCTL)) in the user profile, the output queue is operator-controlled (OPRCTL(*YES)), and the user has *EXECUTE authority to the library that the output queue is in.
• User has the required object authority for the output queue. The required object authority is specified by the AUTCHK parameter on the CRTOUTQ command. A value of *OWNER indicates that only the owner of the output queue is authorized to control all the spooled files on the output queue. A value of *DTAAUT indicates that users with *CHANGE authority to the output queue are authorized to control all the spooled files on the output queue.
  Note:
  The specific authorities required for *DTAAUT are *READ, *ADD, and *DLT data authorities.
• A user is always allowed to control the spooled files created by that user.

For the Copy Spooled File (CPYSPLF), Display Spooled File (DSPSPLF), and Send Network Spooled File (SNDNETSPLF) commands, in addition to the four ways already listed, there is an additional way a user can be authorized.

If DSPDTA(*YES) was specified when the output queue was created, any user with *USE authority to the output queue is allowed to copy, display, send, or move spooled files. The specific authority required is *READ data authority.

If the user is authorized to control the file by one of the four ways already listed above, using DSPDTA(*NO) when creating the output queue will not restrict the user from displaying, copying, or sending the file. DSPDTA authority is only checked if the user is not otherwise authorized to the file.

DSPDTA(*OWNER) is more restrictive than DSPDTA(*NO). If the output queue is created with DSPDTA(*OWNER), only the owner of the spooled file (the person who created it) or a user with SPCAUT(*SPLCTL) can display, copy, or send a file on that queue. Even users with SPCAUT(*JOBCTL) on an operator-controlled (OPRCTL(*YES)) output queue cannot display, copy, move, or send spooled files they do not own.

See the Security topic for details about the authority requirements for individual commands.

To place a spooled file on an output queue, one of the following authorities is required:

• Spool control authority (SPCAUT(*SPLCTL)) in the user profile. The user must also have the *EXECUTE authority to the library that the output queue is in.

  This authority gives a user control of all spooled files on the system and should only be granted to appropriate users. If you have spool control authority you can delete, move, hold, and release any spooled files on the system. You can also change the attributes of any spooled file.

• Job control authority (SPCAUT(*JOBCTL)) in the user profile and the output queue is operator-controlled (OPRCTL(*YES)). The user must also have the *EXECUTE authority to the library that the output queue is in.
• *READ authority to the output queue. This authority can be given to the public by specifying AUT(*USE) on the CRTOUTQ command.