Planning printer and printer output queue security
Here are several key points in planning security for the printer and printer output queue, the importance of the planning tasks, and recommendations for completing the tasks.
Review the printer portion of your Physical Security Plan. Fill in the output queue section of the Printer Output and Workstation Security form as you work through this topic. You also need a plan to protect confidential information while it is printing or waiting to print. Check your Physical Security Plan for printers that your company uses for confidential output. After you plan printer output queue security, you can plan security for workstations.
- A copy of the report to be printed is held in a spooled file or printer output.
- The spooled file is stored in an object called an output queue until a printer is available.
- Spooling makes it easier to schedule printer jobs and to share printers.
- Spooling helps you protect confidential output.
- To secure the special output queue, use these commands:
- Work with Output Queue Description (WRKOUTQD)
- Create Output Queue (CRTOUTQ)
- Change Output Queue (CHGOUTQ)
- On these commands, you can specify values for these key parameters:
- DSPDTA
- AUTCHK
- OPRCTL
When you run a program that prints a report, the report typically does not go directly to a printer. The program creates a copy of the report, called a spooled file or printer output. The system stores the spooled file in an object called an output queue until a printer is available. When the output queue contains printer output, you can view the report at your workstation. You can also hold it or direct it to a specific printer.
Spooling makes it easier to schedule printing jobs and to share printers. Spooling also helps you protect confidential output. You can create one or more special output queues to hold confidential output and restrict who can view and manage those output queues. You can also control when confidential output is sent from the queue to a printer. Complete the Printer Output and Workstation Security form as you work through this topic.
- Display Data (DSPDTA) Parameter: The DSPDTA parameter of an output queue determines whether a user can view, send, or copy a spooled file that another user owns.
- Authority to Check (AUTCHK) Parameter: The AUTCHK parameter specifies
what type of authorities to the output queue allow the user to control all
the files on the queue. Users with some special authority may also be able
to control the files:
- *OWNER: The requester must have ownership authority to the output queue in order to pass the output queue authorization test. The requester can have ownership authority by being the owner of the output queue, or sharing a group profile with the queue owner, or running a program that adopts the owner's authority.
- *DTAAUT: Any user with add, read, and delete authority to the output queue can control all spooled files on the queue.
- Operator Control (OPRCTL) Parameter: The OPRCTL parameter of an output queue determines whether users with *JOBCTL special authority or *SYSOPR user class are allowed to control the output queue, provided that the profile was created with *SYSOPR user class, and that the special authorities parameter was set to *USRCLS and has not been changed.
- Add spooled files to the queue.
- View a list of spooled files (WRKOUTQ command).
- Display, copy, or send spooled files (DSPSPLF, CPYSPLF, SNDNETSPLF, and SNDTCPSPLF commands).
- Change, delete, hold, or release spooled files (CHGSPLFA, DLTSPLF, HLDSPLF, and RLSSPLF commands).
- Change, clear, hold, and release output queue (CHGOUTQ, CLROUTO, HLDOUTQ, and RLSOUTQ commands).
Securing spooled files
Most information that is printed on your system is stored as a spooled file on an output queue while it is waiting to print. Unless you control the security of output queues on your system, unauthorized users can display, print, and even copy confidential information that is waiting to print.
One method for protecting confidential output is to create a spooled file. For more information about parameters that control the security of a spooled file, refer to the following topics in the Printing topic in Security reference
- Display Data (DSPDTA) parameter of output queue
- Authority to Check (AUTCHK) parameter of output queue
- Operator Control (OPRCTL) parameter of output queue
- Output queue and parameter authorities required for printing