Prevent User from Deleting Spool Files

65 pts.
Tags:
AS/400 Spool Files
OS/400
Hi, If a user has *SPLCTL authority in their User Profile is it possible to prevent that User Profile from deleting spool files without removing that authority?

Thanks

John.

 



Software/Hardware used:
AS400 OS400

Answer Wiki

Thanks. We'll let you know when a new response is added.

splctl is to view others splfile….but to delete you need higher authority

=========================================================

From the Security Reference:<ul>
<li>*SPLCTL Special Authority
Spool control (*SPLCTL) special authority allows the user to perform all spool control functions, such as changing, deleting, displaying, holding and releasing spooled files. The user can perform these functions on all output queues, regardless of any authorities for the output queue or the OPRCTL parameter for the output queue. Chapter 4. User Profiles 67
*SPLCTL special authority also allows the user to manage job queues, including holding, releasing, and clearing the job queue. The user can perform these functions on all job queues, regardless of any authorities for the job queue or the OPRCTL parameter for the job queue.
<b>Risks:</b> <i>The user with *SPLCTL special authority can perform any operation on any spooled file in the system. Confidential spooled files cannot be protected from a user with *SPLCTL special authority.</i></li>
</ul>
The only way to control a user with *SPLCTL is to ensure that no command is available that allows access to jobs or spooled files.

It doesn’t matter if the output queue or the output queue library authorities lock everyone out nor what the outq attributes are. It doesn’t matter if the owner of the spooled file is *ALLOBJ. A *SPLCTL user can still access and delete the spooled files as long as there is access to commands such as WRKSLPF.

Special authorities are called “special” because they override all other authorities within their scope.

Tom

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Jkbritvic
    I have run some tests and found that a User ID with *SPLCTL only, can delete spool files created by their own User ID, but not others. Is there any other way to prevent a specific User ID from deleting their own spool files or a particular spoo file?
    65 pointsBadges:
    report
  • jinteik
    if you dont have *splctl you can even delete your own spool file and not others. question is can this user delete spool file? is he running on command line?
    18,085 pointsBadges:
    report
  • Whatis23
    If the user has *SPLCTL, the user can perform any operation on their own spool files. The only way to prevent that is to remove that special authority.
    5,665 pointsBadges:
    report
  • TomLiotta
    I have run some tests and found that a User ID with *SPLCTL only, can delete spool files created by their own User ID, but not others. Have your *SPLCTL user run WRKSPLF SELECT(<otherUser>) to see if the other user's spooled files are available or not. That's usually the most direct route. Other routes are available, but that should be enough to demonstrate *SPLCTL power. Tom
    125,585 pointsBadges:
    report
  • TomLiotta
    If the user has *SPLCTL, the user can perform any operation on their own spool files. A user doesn't need *SPLCTL to control their own spooled files. *SPLCTL is for control of all spooled files regardless of owner. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following