Security and Systems Management Newsletter for the IBM i                 April 24, 2013 - Vol 3, Issue 27
Live Online Workshops - from The 400 School

Powertech - Security Study 2013

Security? See how SKYVIEW PARTNERS can help!

Feature Article

Mysteries of Restoring Output Queues and Spooled Files

By Dan Riehl

Since version 5.4 of the IBM i operating system, IBM has included the capability to natively save and restore spooled files. Previously, when an output queue object was saved, only the output queue object itself was saved. The spooled files within the output queue weren't saved and therefore couldn't be restored. Even today, unless you specify that you want to save the spooled files in your saved output queues, the spooled files aren't saved.

Since 5.4, an output queue and its associated spooled files can be saved using standard save commands such as Save Library (SAVLIB) and Save Object (SAVOBJ).

In the following example, I save an output queue named ADMIN5P to a save file by using the SAVOBJ command. On the command, I specify the parameter SPLFDTA(*ALL). The SPLFDTA(*ALL) parameter is what causes the spooled files to be saved. Had I not specified SPLFDTA(*ALL), only the output queue object would be saved and not the associated spooled files.


I display the contents of the save file by using this command:


I then see the resulting display showing the saved ADMIN5P output queue.

                             Display Saved Objects                              
 Library saved . . . . . . . :   ADMIN5                                         
 Type Options, press Enter.                                                     
 Opt  Object      Type      Attribute   Owner          Size (K)  Data           
  5   ADMIN5P     *OUTQ                 DANRIEHL             96  YES            

Once the Output Queue and Spooled files are saved, it is quite mysterious how the restore process works. It's not as one would expect.

Read about the Mysteries of Restoring Spooled Files

In This Issue

Featured Article - Restoring Spooled Files

Security Shorts - The CHGPRF Command

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor

    The PowerTech Group

    Skyview Partners, Inc


    Townsend Security

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute - Jan 2013

IBM i Security Videos from

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

Open Security Foundation - DataLoss DB

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Powertech - Security Study 2013

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

Top 10 Security and Compliance Considerations for Cloud Computing
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Thursday, April 25 10:00am CDT
More Information and Register to Attend

Automatic Encryption with FIELDPROC on the IBM i
with Patrick Townsend

Live Webcast - Sponsored by Townsend Security
Tuesday, April 30, 12:00 Noon CDT
More Information and Register to Attend

10th Anniversary: PowerTech's "State of IBM i Security Study 2013"
Live Webcast - Sponsored by PowerTech
Robin Tatam, Director of Security Technologies for PowerTech, will reveal the
latest results from a decade of ongoing research into the security configuration of IBM i. Wednesday, May 1, 1:00 PM CDT
More Information and Register to Attend

Live Hands-On IBM i Expanded Security Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - May 7 - 10
Dan Riehl presents this 4-Day Live Online Hands-on Expanded Security Workshop.
More Information and Register to Attend

Live Hands-On IBM i Security Assessment Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - May 21 - 24
Dan Riehl presents this 3.5-Day Live Online Hands-on Security Assessment Workshop.
More Information and Register to Attend

Security? See how SKYVIEW PARTNERS can help!

Live Online Workshops - from The 400 School

Security Shorts -

Watch out for the CL Command CHGPRF!

By Dan Riehl

Did you know that your end users and IT staff members can change their own user profile?

Just like users can run the CHGPWD(Change Password) command to change their own password, they can run the CHGPRF(Change Profile) command to change their own user profile.

Almost all user profile attributes can be changed using this command. Certain attributes like Group Profile and Supplemental Group Profile cannot be changed. But that's little consolation when we find that our end users can change their initial program, initial menu, current library, job description, attention program, etc.

The CHGPRF command ships from IBM as *PUBLIC use, so it is available for general use. As you might suspect, the user must have at least *USE authority to the specified initial program, menu, job description, attention program, current library, etc. in order to make those kind of changes.

Certain parameters of the CHGPRF command are sensitive to the LMTCPB(Limit capabilities) attribute of the user's profile. For instance, if the user is LMTCPB(*PARTIAL), they cannot change their initial program, current library or attention key handling program. They can however change their initial menu and all the other attributes. If the user is LMTCPB(*YES), they cannot change their initial program, initial menu, current library or attention key program, but they can change all the rest of their profile attributes like job description, user options, output queue, printer and even the textual description of their user profile.

You may be thinking that this is not really such a big deal since the only people on your system that can run this command are IT folks and a limited number of users that have access to the command line. Users that are defined as LMTCPB(*YES) cannot enter this command on a command line, and I doubt you would place this option on their menu. But, any user that has IBM i Access(Client Access) installed on their PC can use the RMTCMD command to run the CHGPRF command. It's as simple as going to a DOS prompt and running the command:


The RMTCMD.exe on your PC does not pay any attention to the LMTCPB attribute of the user running the command. The user can run any command to which they are authorized. And, since RMTCMD is an integral part of IBM i Access, you cannot just remove it from all your PCs. It's best to write or buy an exit program for the remote command server that would control this type of activity.

My recommendation to you is to change the object authority of the CHGPRF command to make it *PUBLIC AUT(*EXCLUDE). To make that change, you can use either the EDTOBJAUT(Edit Object Authority) command or the GRTOBJAUT(Grant Object Authority) command.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

Intro RPG IV Programming
Intro RPG/400 Programming
IBM i COBOL Programming
Interactive Programming Workshops
Introduction to System Operations
Expanded System Operations Workshop
System Administration and Control
Expanded Security Workshop
Control Language Programming
IBM i Concepts and Facilities
Concepts & Control Language
Query Workshop

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 -, all rights reserved | St Louis MO 63017