Unconfigured Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Users viewing QSECOFR's spooled files

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users viewing QSECOFR's spooled files

    How do you know someone who doesn't have *SPLCTL or *ALLOBJ authority in their profile has been looking at these particular spool files? I guess what I'm asking is how do you know that a particular users is working with the spooled files?

  • #2
    Users viewing QSECOFR's spooled files

    Surprise, surprise. One of the people looking at the queries told me. I looked at her profile and she only has *jobctl. She does have QPGMR as a group profile, but it also only has *jobctl and *service. She said "I wondered if anyone would ever figure this out". Nice hub?

    Comment


    • #3
      Users viewing QSECOFR's spooled files

      It was just realized that some IT employees have been working with spooled files created by QSECOFR. The security officer has run many queries to address security violations. It seems that we have a nosy bunch that have been viewing them. Am I crazy? I thought users couldn't view QSECOFR's reports. These I.D.'s don't have *splctl in their profile. Any thoughts on how they're doing this? I'm stumped. Thanks.

      Comment


      • #4
        Users viewing QSECOFR's spooled files

        Joanne, You should make sure sensitive reports are in a properly secured output queue. AFAIK there is no automatic protection for spooled files owned by QSECOFR. Do a WRKOUTQD on the output queue. Use F13 to change, then F10 for additional parameters. The relevant ones are DSPDTA (Display any file) OPRCTL (Operator controlled) and AUTCHK (Authority to check). The most secure settings would be *NO *NO and *OWNER respectively, but use the F1 helps for a full description of each. These settings will affect the entire queue so you might want to create a special output queue with these attributes and ensure that all sensitive reports are routed directly there. Incidentally, do I understand correctly that you actually have someone signed on to the system and working as QSECOFR? This is not generally regarded as a good working practice. Everyone should work under an identifiable individual profile with the specific authorities they need for the job. It may be that a small number of people will need 2 profiles - 1 for everyday stuff and 1 for when they need to be God. Dave...

        Comment

        Working...
        X