Previous Topic: Protection by ClassNext Topic: Protection by Class and Form

Command Limiting the CP Spooling SystemUsing Command Limiting to Protect the Spool QueueProtection by Form

Protection by Form

There can be instances when spooling is best controlled by form. Following are examples of how this could be accomplished. The second line of the rule set below prevents any user from changing a spool file on any SYSTEM where the value of form is STD (standard). Also, all users are prevented from changing a spool file on any device with XY form. All other spool changes are allowed (last line of rule set). Remember, the *- masks operands that you must specify (device type).

$KEY(CHANGE)
 SYSTEM *- *- ******** - FORM STD - PREVENT
 *- *- ******** - FORM XY - UID(*) PREVENT
 -  UID(*) ALLOW

In the rule below, user OPR cannot purge any files with form EXEC. PAYOPR can purge any spool files with a form of A. Other users can only purge files in their own spool queue.

$KEY(PURGE)
 - FORM A -  UID(PAYOPR) ALLOW
 - FORM EXEC - UID(OPR) PREVENT
 ALL -  UID(*) ALLOW
 PRT -  UID(*) ALLOW
 PUN -  UID(*) ALLOW
 RDR -  UID(*) ALLOW

This rule set lets users with the PAY user ID spool any files with the EXEC form. PER users can spool any files with the STD (standard) form.

$KEY(SPOOL)
 - FORM EXEC -  UID(PAY) ALLOW
 - FORM STD - UID(PER) ALLOW

Next, a user with the OPR user ID can dump any spool with a form of ABC, but CA ACF2 for z/ VM logs the occurrence. CA ACF2 for z/ VM denies all attempts at dumping any other form.

$KEY(SPTAPE)
 *- *- *- FORM ABC - UID(OPR) L

According to the next rule, users with the OPR user ID can start up any spool files with the STANDARD form only. All other users can start their own files, no matter what their form.

$KEY(START)
 *- FORM STANDARD - UID(OPR) ALLOW
 ALL -  UID(*) PREVENT
 PRT -  UID(*) ALLOW
 PUN -  UID(*) ALLOW
 RDR -  UID(*) ALLOW

The following rule lets PAYOPR transfer files in the form PAY to anyone in Payroll or Personnel. PER and PAY users can transfer files, in the standard (STD) form, to anyone in Payroll or Personnel. They cannot transfer any other form of files to anyone else. GEN and MKT can transfer any files in any form.

$KEY(TRANSFER)
 SYSTEM *- FORM PAY *- P***** - UID(PAYOPR) ALLOW
 *- FORM STD *- P*****  UID(PER) ALLOW
 *- FORM STD *- P***** -  UID(PAY) ALLOW
 *- FORM * -  UID(PAY) PREVENT
 *- FORM * -  UID(PER) PREVENT
 -  UID(GEN) ALLOW
 -  UID(MKT) ALLOW