Prevent User from Deleting Spool Files
Hi, If a user has *SPLCTL authority in their User Profile is it possible to prevent that User Profile from deleting spool files without removing that authority?
Thanks
John.
Software/Hardware used:
AS400 OS400
Thanks
John.
Software/Hardware used:
AS400 OS400
ASKED:
February 24, 2010 12:09 PM
UPDATED:
February 24, 2010 10:05 PM
Answer Wiki:
splctl is to view others splfile....but to delete you need higher authority
=========================================================
From the Security Reference:<ul>
<li>*SPLCTL Special Authority
Spool control (*SPLCTL) special authority allows the user to perform all spool control functions, such as changing, deleting, displaying, holding and releasing spooled files. The user can perform these functions on all output queues, regardless of any authorities for the output queue or the OPRCTL parameter for the output queue. Chapter 4. User Profiles 67
*SPLCTL special authority also allows the user to manage job queues, including holding, releasing, and clearing the job queue. The user can perform these functions on all job queues, regardless of any authorities for the job queue or the OPRCTL parameter for the job queue.
<b>Risks:</b> <i>The user with *SPLCTL special authority can perform any operation on any spooled file in the system. Confidential spooled files cannot be protected from a user with *SPLCTL special authority.</i></li>
</ul>
The only way to control a user with *SPLCTL is to ensure that no command is available that allows access to jobs or spooled files.
It doesn't matter if the output queue or the output queue library authorities lock everyone out nor what the outq attributes are. It doesn't matter if the owner of the spooled file is *ALLOBJ. A *SPLCTL user can still access and delete the spooled files as long as there is access to commands such as WRKSLPF.
Special authorities are called "special" because they override all other authorities within their scope.
Tom
To see all answers submitted to the Answer Wiki: View Answer History.
I have run some tests and found that a User ID with *SPLCTL only, can delete spool files created by their own User ID, but not others. Is there any other way to prevent a specific User ID from deleting their own spool files or a particular spoo file?
if you dont have *splctl you can even delete your own spool file and not others.
question is can this user delete spool file? is he running on command line?
If the user has *SPLCTL, the user can perform any operation on their own spool files. The only way to prevent that is to remove that special authority.
I have run some tests and found that a User ID with *SPLCTL only, can delete spool files created by their own User ID, but not others.
Have your *SPLCTL user run WRKSPLF SELECT(<otherUser>) to see if the other user’s spooled files are available or not. That’s usually the most direct route. Other routes are available, but that should be enough to demonstrate *SPLCTL power.
Tom
If the user has *SPLCTL, the user can perform any operation on their own spool files.
A user doesn’t need *SPLCTL to control their own spooled files. *SPLCTL is for control of all spooled files regardless of owner.
Tom