Plan printer and printer output queue security

This topic describes the key points in planning security for the printer and printer output queue, the importance of the planning tasks, and recommendations for completing the tasks.

Review the printer portion of your Physical Security Plan. Fill in the output queue section of the Printer Output and Workstation Security form as you work through this topic. You also need a plan to protect confidential information while it is printing or waiting to print. Check your Physical Security Plan for printers that your company uses for confidential output. After you plan printer output queue security, you can plan security for workstations.

You can create one or more special output queues to hold confidential output and restrict who can view and manage those output queues.

When you run a program that prints a report, the report usually does not go directly to a printer. The program creates a copy of the report, called a spooled file or printer output. The system stores the spooled file in an object called an output queue until a printer is available. When the output queue contains printer output, you can view the report at your workstation. You can also hold it or direct it to a specific printer.

Spooling makes it easier to schedule printing jobs and to share printers. Spooling also helps you protect confidential output. You can create one or more special output queues to hold confidential output and restrict who can view and manage those output queues. You can also control when confidential output is sent from the queue to a printer. Complete the Printer Output and Workstation Security form as you work through this topic.

When you create a special output queue, you can specify several parameters that relate to security:

The output queue parameters, the user’s authority to the output queue, and the user’s special authority work together to determine the functions a user can perform on spooled files in an output queue. You can perform the following printing functions with spooled files:

For more information on the printing commands, see the following tables in "Appendix D" of iSeries™ Security Reference:

Securing spooled files

A spooled file is a special type of object on the system. You cannot directly grant and revoke authority to view and manipulate a spooled file. The authority to a spooled file is controlled by several parameters on the output queue that holds the spooled file.

When you create a spooled file, you are the owner of that file. You can always view and manipulate any spooled files you own, regardless of how the authority for the output queue is defined. You must have *READ authority to add new entries to an output queue. If your authority to an output queue is removed, you can still access any entries you own on that queue using the Work with Spooled Files (WRKSPLF) command.

Most information that is printed on your system is stored as a spooled file on an output queue while it is waiting to print. Unless you control the security of output queues on your system, unauthorized users can display, print, and even copy confidential information that is waiting to print.

One method for protecting confidential output is to create a special output queue. Send confidential output to the output queue and control who can view and manipulate the spooled files on the output queue. To determine where output goes, the system looks at the printer file, job attributes, user profile, workstation device description, and the print device (QPRTDEV) system value. See Controlling printing to output queue or printer for more information.

If defaults are used, the default output queue of the printer device specified in the system value QPRTDEV printer is used.

The security parameters for an output queue are specified using the Create Output Queue (CRTOUTQ) command or the Change Output Queue (CHGOUTQ) command. You can display the security parameters for an output queue using the Work with Output Queue Description (WRKOUTQD) command.

A user with *SPLCTL special authority can perform all functions on all entries, regardless of how the output queue is defined. Some parameters on the output queue allow a user with *JOBCTL special authority to view the contents of entries on the output queue. A user with *SPLCTL cannot manipulate, display, or use spooled files on an iASP unless the user has authority to the iASP group. A user needs *EXECUTE authority to the primary iASP device description.

For more information on the following subjects, see "Printing" in Chapter 6 of the iSeries Security Reference:

"Display Data (DSPDTA) parameter of output queue"
"Authority to Check (AUTCHK) parameter of output queue"
"Operator Control (OPRCTL) parameter of output queue"
"Output queue and parameter authorities required for printing"

Examples: output queue

Following are several examples of setting security parameters for output queues to meet different requirements:

Create a general purpose output queue. All users are allowed to display all spooled files. The system operators are allowed to manage the queue and change spooled files: CRTOUTQ OUTQ(QGPL/GPOUTQ) DSPDTA(*YES) OPRCTL(*YES) AUTCHK(*OWNER) AUT(*USE)
Create an output queue for an application. Only members of the group profile GRPA are allowed to use the output queue. All authorized users of the output queue are allowed to display all spooled files. System operators are not allowed to work with the output queue: CRTOUTQ OUTQ(ARLIB/AROUTQ) DSPDTA(*NO) OPRCTL(*NO) AUTCHK(*OWNER) AUT(*EXCLUDE)CHGOBJOWN OBJ(ARLIB/AROUTQ) OBJTYP(*OUTQ) USER(GRPA) AUT(*CHANGE)
Create a confidential output queue for the security officers to use when printing information about user profiles and authorities. The output queue is created and owned by the QSECOFR profile: CRTOUTQ OUTQ(QGPL/SECOUTQ) DSPDTA(*OWNER) AUTCHK(*DTAAUT) OPRCTL(*NO) AUT(*EXCLUDE)Even if the security officers on a system have *ALLOBJ special authority, they are not able to display, copy, send, or move other user's files on the SECOUTQ output queue.
Create an output queue that is shared by users printing confidential files and documents. Users can work with only their own spooled files. System operators can work with the spooled files, but they cannot display, copy, send, or move other user's spooled files. CRTOUTQ OUTQ(QGPL/CFOUTQ) DSPDTA(*OWNER) AUTCHK(*OWNER) OPRCTL(*YES) AUT(*USE)

For more information, see Securing your printer output queue.

Worksheet needed: Printer output queue security worksheet

Printer output queue security worksheet
Complete this worksheet as part of your printer output queue security.

Parent topic:

Planning resource security

Planning printer and printer output queue security

Securing spooled files

Examples: output queue

Parent topic: