Q: Four users in our Payroll department are members of a group profile that includes users from the Human Resources department. When any one of these four users runs the payroll reports, the remaining three Payroll members of the group profile should be able to view the payroll information on an output queue. Because of its sensitive nature, no one else should be able to view payroll information, including the printed output.
I limited access to the payroll files so that the Human Resources members of the group profile cannot view them. How can I secure the printed output so that any of the four users of the Payroll department can run and view the reports? When I attempted to secure the output queue, only the person that ran the payroll could view the reports.
A:Since the Payroll personnel (P1, P2, P3, P4) have a group profile that is a mixture of the users authorized to the payroll data and those that should not view the data, you cannot authorize the group profile to the output queue. Create the output queue PAYROLL using the following command:
CRTOUTQ OUTQ(PAYROLL) + DSPDTA(*NO) OPRCTL(*NO) + AUTCHK(*OWNER) AUT(*EXCLUDE)
Then authorize the individual users in the payroll area to the output queue with this command:
GRTOBJAUT OBJ(PAYROLL) + OBJTYPE(*OUTQ) AUT(*CHANGE) + USER(P1 P2 P3 P4)
Granting *CHANGE authority to users P1, P2, P3 and P4 for the PAYROLL output queue allows these users to add spooled files and access the PAYROLL output queue. Users can view their files but they are not able to view files on the queue created by other users. For example, user P1 cannot view printed output created by user P2. Only the owner of the output queue (PAYPGMR) and users with *SPLCTL authority will be able to view all of the files on the queue.
You can allow users to view the output created by other users by writing the simple CL program, DSPPAY, shown in 1. The program should adopt its owner's user profile. Use the following command to change the owner of the program to PAYMGR, the owner of the PAYROLL output queue.
You can allow users to view the output created by other users by writing the simple CL program, DSPPAY, shown in Figure 1. The program should adopt its owner's user profile. Use the following command to change the owner of the program to PAYMGR, the owner of the PAYROLL output queue.
CHGOBJOWN OBJ(DSPPAY) + OBJTYPE(*PGM) NEWOWN(PAYMGR)
Grant each of the users (P1, P2, P3 and P4) access to the program with this
GRTOBJAUT OBJ(DSPPAY) + OBJTYPE(*PGM) AUT(*USE) + USER(P1 P2 P3 P4)
You can simplify the user interface for the Payroll users by giving them a menu option that calls the program shown in 1.
You can simplify the user interface for the Payroll users by giving them a menu option that calls the program shown in Figure 1.
Q:Can the audit features in V2R3 allow me to audit which user profiles sign on at a specific device?
A:Yes. You should do this by auditing job actions rather than auditing the specific device. Using job auditing creates an audit entry for job actions such as the start and end of each job or for each change, hold or release of a job. The audit entries for job start give the name of the device so you can select these entries by job name. This method produces several journal entries because all jobs are recorded and each job has at least two entries: job start and end.
A special authority of *AUDIT is required to activate job auditing. If you want to audit jobs that affect device DSP022, you first add the *JOBDTA auditing option to the security auditing level (QAUDLVL) system value to audit job data.
CHGSYSVAL SYSVAL(QAUDLVL) + VALUE(*JOBDTA)
Then you set the auditing control (QAUDCTL) system value to activate job auditing through the QAUDLVL system value.
CHGSYSVAL SYSVAL(QAUDCTL) + VALUE(*AUDLVL)
Since the QAUDLVL system value is *JOBDTA, this creates an audit entry for all jobs. You will need to select the specific device DSP022 from the data produced in the QAUDJRN journal in QSYS library.
Security Patrol: Security Questions & Answers
Figure 1 CL Pgm Access to All Files on PAYROLL Output Queue
/*===========================================================*/ /* To compile: */ /* */ /* CRTCLPGM PGM(DSPPAY) SRCFILE(XXX/QCLSRC) + */ /* USRPRF(*OWNER) AUT(*EXCLUDE) */ /* */ /*===========================================================*/ PGM WORKOUTQ OUTQ(PAYROLL) ENDPGM