This topic describes the key points in planning security for the
printer and printer output queue, the importance of the planning tasks, and
recommendations for completing the tasks.
Review the printer portion of your Physical Security Plan. Fill
in the output queue section of the Printer Output and Workstation Security
form as you work through this topic. You also need a plan to protect confidential
information while it is printing or waiting to print. Check your Physical
Security Plan for printers that your company uses for confidential output.
After you plan printer output queue security, you can plan security for workstations.
The basic printing process involves the following key points:
- A copy of the report to be printed is held in a spooled file or printer
output.
- The spooled file is stored in an object called an output queue until a
printer is available.
- Spooling makes it easier to schedule printer jobs and to share printers.
- Spooling helps you protect confidential output.
You can create one or more special output queues to hold confidential output
and restrict who can view and manage those output queues.
- To secure the special output queue, you can use these commands:
- Work with Output Queue Description (WRKOUTQD)
- Create Output Queue (CRTOUTQ)
- Change Output Queue (CHGOUTQ)
- On these commands, you can specify values for these key parameters:
When you run a program that prints a report, the report usually does not
go directly to a printer. The program creates a copy of the report, called
a spooled file or printer output. The system stores the spooled file in an
object called an output queue until a printer is available. When the output
queue contains printer output, you can view the report at your workstation.
You can also hold it or direct it to a specific printer.
Spooling makes it easier to schedule printing jobs and to share printers.
Spooling also helps you protect confidential output. You can create one or
more special output queues to hold confidential output and restrict who can
view and manage those output queues. You can also control when confidential
output is sent from the queue to a printer. Complete the Printer Output and
Workstation Security form as you work through this topic.
When you create a special output queue, you can specify several parameters
that relate to security:
- Display Data (DSPDTA) Parameter: The DSPDTA parameter of an output
queue determines whether a user can view, send, or copy a spooled file that
another user owns.
- Authority to Check (AUTCHK) Parameter: The AUTCHK parameter specifies
what type of authorities to the output queue allow the user to control all
the files on the queue. Users with some special authority may also be able
to control the files:
- *OWNER: The requester must have ownership authority to the output
queue in order to pass the output queue authorization test. The requester
can have ownership authority by being the owner of the output queue, or sharing
a group profile with the queue owner, or running a program that adopts the
owner's authority.
- *DTAAUT: Any user with add, read, and delete authority to the output
queue can control all spooled files on the queue.
- Operator Control (OPRCTL) Parameter: The OPRCTL parameter of an
output queue determines whether users with *JOBCTL special authority or *SYSOPR
user class are allowed to control the output queue, provided that the profile
was created with *SYSOPR user class, and that the special authorities parameter
was set to *USRCLS and has not been changed.
The output queue parameters, the user’s authority to the output
queue, and the user’s special authority work together to determine the functions
a user can perform on spooled files in an output queue. You can perform the
following printing functions with spooled files:
- Add spooled files to the queue.
- View a list of spooled files (WRKOUTQ command).
- Display, copy, or send spooled files (DSPSPLF, CPYSPLF, SNDNETSPLF, and
SNDTCPSPLF commands).
- Change, delete, hold, or release spooled files (CHGSPLFA, DLTSPLF, HLDSPLF,
and RLSSPLF commands).
- Change, clear, hold, and release output queue (CHGOUTQ, CLROUTO, HLDOUTQ,
and RLSOUTQ commands).
For more information on the printing commands, see the following
tables in
"Appendix D" of
iSeries™ Security Reference:
- "Output Queue Commands"
- "Spooled File Commands"
- "Writer Commands"
Securing spooled files
A
spooled file is a special type of object on the system. You cannot directly
grant and revoke authority to view and manipulate a spooled file. The authority
to a spooled file is controlled by several parameters on the output queue
that holds the spooled file.
When you create a spooled file, you are
the owner of that file. You can always view and manipulate any spooled files
you own, regardless of how the authority for the output queue is defined.
You must have *READ authority to add new entries to an output queue. If your
authority to an output queue is removed, you can still access any entries
you own on that queue using the Work with Spooled Files (WRKSPLF) command.
Most
information that is printed on your system is stored as a spooled file on
an output queue while it is waiting to print. Unless you control the security
of output queues on your system, unauthorized users can display, print, and
even copy confidential information that is waiting to print.
One method
for protecting confidential output is to create a special output queue. Send
confidential output to the output queue and control who can view and manipulate
the spooled files on the output queue. To determine where output goes, the
system looks at the printer file, job attributes, user profile, workstation
device description, and the print device (QPRTDEV) system value. See Controlling printing
to output queue or printer for more information.
If defaults
are used, the default output queue of the printer device specified in the
system value QPRTDEV printer is used.
The security parameters for an
output queue are specified using the Create Output Queue (CRTOUTQ) command
or the Change Output Queue (CHGOUTQ) command. You can display the security
parameters for an output queue using the Work with Output Queue Description
(WRKOUTQD) command.
Attention: A user with *SPLCTL special
authority can perform all functions on all entries, regardless of how the
output queue is defined. Some parameters on the output queue allow a user
with *JOBCTL special authority to view the contents of entries on the output
queue. A user with *SPLCTL cannot manipulate, display, or use spooled files
on an iASP unless the user has authority to the iASP group. A user needs *EXECUTE
authority to the primary iASP device description.
For
more information on the following subjects, see
"Printing" in Chapter
6 of the
iSeries Security
Reference:
- "Display Data (DSPDTA) parameter of output queue"
- "Authority to Check (AUTCHK) parameter of output queue"
- "Operator Control (OPRCTL) parameter of output queue"
- "Output queue and parameter authorities required for printing"
Examples: output queue
Following
are several examples of setting security parameters for output queues to meet
different requirements:
- Create a general purpose output queue. All users are allowed to display
all spooled files. The system operators are allowed to manage the queue and
change spooled files: CRTOUTQ OUTQ(QGPL/GPOUTQ) DSPDTA(*YES) OPRCTL(*YES)
AUTCHK(*OWNER) AUT(*USE)
- Create an output queue for an application. Only members of the group profile
GRPA are allowed to use the output queue. All authorized users of the output
queue are allowed to display all spooled files. System operators are not allowed
to work with the output queue: CRTOUTQ OUTQ(ARLIB/AROUTQ) DSPDTA(*NO)
OPRCTL(*NO) AUTCHK(*OWNER) AUT(*EXCLUDE)CHGOBJOWN OBJ(ARLIB/AROUTQ)
OBJTYP(*OUTQ) USER(GRPA) AUT(*CHANGE)
- Create a confidential output queue for the security officers to use when
printing information about user profiles and authorities. The output queue
is created and owned by the QSECOFR profile: CRTOUTQ OUTQ(QGPL/SECOUTQ)
DSPDTA(*OWNER) AUTCHK(*DTAAUT) OPRCTL(*NO) AUT(*EXCLUDE)Even if
the security officers on a system have *ALLOBJ special authority, they are
not able to display, copy, send, or move other user's files on the SECOUTQ
output queue.
- Create an output queue that is shared by users printing confidential files
and documents. Users can work with only their own spooled files. System operators
can work with the spooled files, but they cannot display, copy, send, or move
other user's spooled files. CRTOUTQ OUTQ(QGPL/CFOUTQ) DSPDTA(*OWNER)
AUTCHK(*OWNER) OPRCTL(*YES) AUT(*USE)