Choosing a Method of Spool File Protection

Command Limiting the CP Spooling System › Using Command Limiting to Protect Spool Files › Choosing a Method of Spool File Protection

Choosing a Method of Spool File Protection

When deciding how to protect spool files, consider the output control procedures at your site.

Do you have multiple remote printers (DEST)?
Do you use spool file classes as a printing control (CLASS)?
Do you have special forms (FORM)?

How you process output and the type of information processed dictates how you use CA ACF2 for z/ VM to protect your spool files.

There are six recommended methods to protect your spool queue:

Protect by	Description
Class	Minimally, a rule entry includes the owner ID of the spool file, the class of spool files, the UID string of the users, and the access permission.
Form	Minimally, a rule entry includes the owner ID of the spool file, the form number of the spool files, the UID, and the access permission.
Class and form
Spool file owner	Minimally, a rule entry includes the owner ID of the spool file, the UID, and the access permission.
Class and target	Minimally, a rule entry includes the owner ID of the spool file, the class and target of the spool files, the UID, and the access permission.
Destination

For example, user PAYOPER displays the spool queue through a QUERY command:

ORIGINID  FILE CLASS ... FORM
 
MAINT     4324 A PRT     STD
VSEIPO    4567 T CON     3HOLE
PAYROLL   4568 P PRT     REGISTER
PAYROLL   4569 P PRT     W2
PAYROLL   4790 P PRT     STANDARD

They then issues a TRANSFER command to place all of the output class P spool files into his spool queue:

TRAN PAYROLL PRT CLASS P TO *

CA ACF2 for z/ VM transposes this command to read TRANSFER PAYROLL PRT CLASS P TO PAYOPER.

Before CA ACF2 for z/ VM transposes the rule set, the TRANSFER rule set states:

$KEY(TRANSFER)
 *- PRT CLASS P - UID(PAYOPER) ALLOW
 *- PRT CLASS A - UID(TLCOPER) ALLOW
 *- PRT CLASS T - UID(TLCOPER) ALLOW

After transposition, CA ACF2 for z/ VM interprets the rule set as:

$KEY(TRANSFER)
*- PRT CLAS P TO PAYOPER UID(PAYOPER) ALLOW
*- PRT CLAS A TO PAYOPER UID(TLCOPER) ALLOW
*- PRT CLAS T TO PAYOPER UID(TLCOPER) ALLOW

Based on the transposition of the command and rule set, CA ACF2 for z/ VM selects the following files as eligible for the TRANSFER command:

PAYROLL 4568 P PRT REGISTER
PAYROLL 4569 P PRT W2
PAYROLL 4790 P PRT STANDARD

CA ACF2 for z/ VM examines the spool queue for each occurrence of a file that is owned by PAYROLL with class P. Each file is then compared to all of the rule entries. All of the files must be allowed by one or more rule entries in the rule set for the command to be allowed to execute.

Mixing class and form in the same rule can lead to undesired results unless you explicitly specify both operands in all rule entries related to spool files. For more information, see Protection by Class and Form in this chapter.

CA ACF2 for z/ VM can encounter a spool file not found condition when there are no spool files that match the command. You can control the action CA ACF2 for z/ VM takes when a user issues a CP spool command for a spool file that does not exist. There are three ways to control NOSPOOL processing: the ACFFDR, command model, and the logon ID record.

For information about using the ACFFDR to control NOSPOOL processing, see the chapter “The CA-ACF2 Field Definition Record” in the Installation Guide.

For information about the logon ID record, see the chapter “About the Logonid Record” in the Administrator Guide.