This chapter explains how to manage printers and output queues in such a way that users can always get their work done without compromising security. Because the administrative side of printing is so closely related to security features, this chapter can be considered a continuation of the previous chapter.
Printed output always goes to an output queue. It never goes directly to a printer, aside from a few exceptional cases. For all intents and purposes, you should concern yourself primarily with output queues when you manage printed output.
In addition to the system-provided output queues (such as QPRINT), you can use the following output queues:
Output queues named after each printer device. These output queues are created automatically when you run the Create Device Printer (CRTDEVPRT) command to configure a new printer. You then can direct output to those output queues whenever you want the output to be printed at that specific printer.
Output queues named after some departments. A few departments in your organization may need to collect reports in separate areas, such as output queues. Any department that produces confidential information is a good candidate; for example, Human Resources and Finance. Give these output queues meaningful names such as HUMRES or FINANCE.
Output queues named for programmers. Programmers generate a great deal of printed output, most of which they don't really use. For example, all compiles produce printed output, and yet all the programmer may need to see is the end of it, where the system lists the errors. These can be displayed instead of printed. You can save an enormous amount of paper by creating output queues for your programmers. Name these output queues after the programmer's user profile, or use something like PGMROUTQ if you would rather have only one.
An output queue named for reports to be held for long periods of time. Some companies need to generate reports at month end, but do not want to print them right away. These reports can be kept on hold, but doing so clutters the output queue, and the danger always exists of someone deleting the report by accident. With an output queue destined solely for the purpose of storing held reports, you avoid this danger. Name this output queue ONHOLD.
By the same token, you could have an output queue for reports that have been printed and are saved for the same reasons. Name it SAVED or something of that nature.
An output queue for reports that are generated by scheduled jobs, but no longer needed by any users. It is often easier to redirect a report to such an output queue than to stop the program from generating it.
Aside from the output queues created for each printer device, you can place your output queues in the same library. The library you choose is entirely up to you.
Use any library that is in everyone's library list if you want to save your users the effort of qualifying the name.
A viable suggestion is to create a special library for company-wide objects that help manage the system. You can name it COMPANY or something like MGTLIB (Management Library).
Always keep an eye on system security. If the Human Resources department requests to print a report that lists the salaries of all employees and directs that report to their own output queue, anyone with *JOBCTL or *SPLCTL special authority can still display the report at any display station, or even change the report so that it prints somewhere else.
Because your system operators need *JOBCTL special authority to perform their duties, they are, by default, authorized to manipulate all printed output in every form. You must take special measures to protect sensitive reports from being viewed, either by accident or intentionally.
Use the following parameters of the Create Output Queue (CRTOUTQ) or Change Output Queue (CHGOUTQ) command to protect certain output queues:
DSPDTA (display data). A value of *YES means that anyone can use option 5 to display any spool file contained in the output queue. A value of *NO (the default) means that the only people authorized to use option 5 are the creator of the report and users who have *JOBCTL or *SPLCTL special authority in their user profiles, such as system operators.
OPRCTL (operator control). A value of *YES (the default) means that users with *JOBCTL special authority can control all spool files contained in the output queue. Users can change, display, delete, and put them on hold. A value of *NO means that the creator of the report and users with *SPLCTL special authority are the only users who can perform these functions.
AUTCHK (authority to check). A value of *OWNER (the default) means that a user will not be able to perform any commands that check the authority to the output queue unless that person is the owner of the output queue, belongs to a group profile which includes the owner, or is running a program that adopts the authority of the owner. A value of *DTAAUT, on the other hand, is more lenient, and therefore, more security-loose. Any user who is authorized to read, add, or delete in the output queue can perform the commands that check output queue authority.
Remember that output queues are objects. You can secure these objects in the usual fashion using the Grant Object Authority (GRTOBJAUT), Revoke Object Authority (RVKOBJAUT), and Edit Object Authority (EDTOBJAUT) commands.
Do not forget public authority. A user enjoys public authority when that user has not been personally granted or revoked authority to an object. If the public authority to an output queue is *USE (as it is by default), the user can display its contents and perform certain basic manipulations, such as placing reports on hold.
If you must have an output queue that only a few select people can access, you must give it a public authority of *EXCLUDE and then grant those select few *USE authority to it.
For example, suppose your Human Resources prints payroll checks by sending the output to output queue HUMRES. Users MARIA and LOURDES should be the only two Human Resources employees who can access the queue. This is what you do:
GRTOBJAUT OBJ(HUMRES) OBJTYPE(*OUTQ) USER(*PUBLIC) +AUT(*EXCLUDE) GRTOBJAUT OBJ(HUMRES) OBJTYPE(*OUTQ) USER(MARIA LOURDES) +AUT(*USE)
The first command gives *EXCLUDE authority to the public. The second command gives *USE authority to MARIA and LOURDES. The net result enables only MARIA and LOURDES to use the output queue.