Secure Sensitive Reports with Output Queue Authority by User

Article ID: 57475
Posted November 19th, 2008
in
By:
Carsten Flensburg

We all hear that we need to better protect our "sensitive" data. We hear the words sensitive data and immediately turn our attention to our DB2 tables or data physical files. We may make the intense effort required to secure our files and even encrypt the data as it sits in the files.

But when we talk about sensitive data, we often forget that sensitive data is used as the input for our sensitive reports!

Do we secure our output queues and spooled file reports? Naaaa…Well, these spooled files contain the sensitive data that we are trying to protect at the file or field level.

The command presented in this tip lets you easily view a user's authorities to spooled files sitting in output queues. Can the user view, change, delete, or send the spooled file? Can the user view and print the sensitive report?

Do not be lulled into a false sense of security by simply securing your files--you must also secure your sensitive reports. Remember, these reports contain the sensitive data too!

About the WRKOUTQAUT Command

The Work with Output Queue Authority (WRKOUTQAUT) command is, in essence, an update and enhancement of the DSPOUTQAUT command initially published in System iNEWS in August 1994. This updated version uses APIs instead of CL command outfiles, which makes it execute faster, return authority information about user profiles selected, and use the exact authority rules specified in the iSeries Security Reference's Appendix D for each output queue and spooled file command involved (as opposed to the more generic rules offered in the iSeries Security Reference's Authority Required to Perform Printing Functions table--see links at the end of this article for the details).

The WRKOUTQAUT command also lets you position the Work with panel to a specified user profile. It also lets you change the user profile selection criteria from that panel. Here's the WRKOUTQAUT command prompt:

                    Work with OUTQ Authorities (WRKOUTQAUT)
                                                               
Type choices, press Enter.

Output queue . . . . . . .   ______        Name
  Library  . . . . . . . .     *LIBL__     Name, *LIBL, *CURLIB
User profile . . . . . . .   *ALL___       Name, generic*, *ALL
Output . . . . . . . . . .   *____         *, *PRINT

You specify the output queue name, the user profile selection criteria, and whether the resulting list should be printed or displayed in a Work with panel. Online command help text (F1) specifying all the details is of course provided.

The Work with panel has three views: One view displays the output queue related authorities, a second view specifies the spooled file's related authorities as well as the user profile's output queue authority and the source of the user profile's authority (e.g., *PRIVATE, *GROUP, *PUBLIC), and a third view displays the user profile's authority-related attributes (e.g., user class, group profile, special authority).

Again, comprehensive screen help text is provided to explain all the sections and columns of the Work with panel, including text to explain the different authority requirements of each individual output queue and spooled file authority type. Place the cursor on column or column heading and press F1 to see this documentation. Here's an example of the first Work with panel view:

                       Work with Output Queue Authorities              NOVASTAR
                                                             14-07-07  11:09:35
 Output queue . . . . :   QPRINT          Queue owner  . . . . :   QPGMR
   Library  . . . . . :     QGPL          Public authority . . :   *USE
                                          Authorization list . :   *NONE
 User profile . . . . .   Q*_____
                                          Position to  . . . . . _____
 Type options, press Enter.
   2=Change user   5=Display user   7=Grant authority   8=Revoke authority

      User        -----------------------Output Queue------------------------
 Opt  Profile     Start Writer   Add Spool   Work with   Clr/Hld/Rls   Change
 __   QADMIN         *NO          *YES        *YES         *NO         *NO
 __   QAUTPROF       *NO          *YES        *YES         *NO         *NO
 __   QBRMS          *NO          *YES        *YES         *NO         *NO
 __   QCLUMGT        *NO          *YES        *YES         *NO         *NO
 __   QCLUSTER       *NO          *YES        *YES         *NO         *NO
 __   QCOLSRV        *NO          *YES        *YES         *NO         *NO
                                                                        More...
 Parameters or command
 ===> _________________________________
 F3=Exit      F5=Refresh   F6=Change output queue      F11=Spooled file auth   
 F12=Cancel   F15=Work with output queue description   F24=More keys

A number of function keys are also provided as shortcuts to related CL commands, including the Change Output Queue (CHGOUTQ), Work with Output Queue Description (WRKOUTQD), Change Object Owner (CHGOBJOWN), Edit Object Authority (EDTDOBJAUT), and Edit Authorization List (EDTAUTL) commands.

The WRKOUTQAUT command includes the following source code:

CBX971  -- RPGLE -- Work with Output Queue Authorities - CPP
CBX971H -- PNLGRP -- Work with Output Queue Authorities - Help
CBX971P -- PNLGRP -- Work with Output Queue Authorities - Panel Group
CBX971V -- RPGLE -- Work with Output Queue Authorities - VCP
CBX971X -- CMD -- Work with Output Queue Authorities
CBX971M -- CLP -- Work with Output Queue Authorities - Build command

Compilation instructions are in the source headers. Compiling and running the CBX971M CL program builds all command objects for you--just follow the instructions in the CBX971M source header.

This is an encore presentation of the updated WRKOUTQAUT command presented first in August of 2007. In case you missed it then, get the code now and secure the output queues on your system.

Download a zip file with all the source code.

Further Output Queue and Spooled File Authority Documentation

iSeries Security Reference V5R4 (PDF)

  • Securing Spooled Files, starting on page 186
  • Table 118. Authority Required to Perform Printing Functions, page 187-189
  • Appendix D. Authority Required for Objects Used by Commands--Output Queue Commands, page 407-408
  • Authority Required for Objects Used by Commands--Spooled File Commands, page 432-434
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/books/sc415302.pdf

i5/OS Information Center V5R4, Planning Printer and Printer Output Queue Security:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzamv/rzamvplanprintsec.htm

i5/OS Information Center V5R4, System i Spooled File Security:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzalu/rzaluspsec.htm

Note: As with all new programs, test these routines thoroughly before placing them into a production environment. No warranty is expressed nor implied.

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo

ProVIP Sponsors

ProVIP Sponsors