[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.

[Bob Gezelter]

On Monday, November 7, 2016 at 4:52:47 AM UTC-5, Joe wrote:
> We have a set of application users who submit some application batches on a specific user with the command SUBMIT/USER=APP$MGR. To perform this, the application users are provided with CMKRNL privilege. I notice at times some users use this privilege and submit some jobs under SYSTEM user. What would be the best way to restrict this? 
> I'm thinking of a captive menu to get all the required details and validate the user part and then submit in the background, is this a good idea? 
> Do we have any other option to restrict this easily?

Joe,

Create a separate image that does the actual SUBMIT. That image is installed with the CMKRNL privilege.

Thus, when the user invokes that image, they are able to do the SUBMIT/USER, but not otherwise. When I did this a while back for a client, I also imposed the requirement that the privileged program checked to see if the user held a Rights Identifier related to the Username that was being submitted. For additional security, protect the privileged image so that the User cannot even access it unless they hold a specific Rights Identifier.

That protection scheme should satisfy most auditors.

- Bob Gezelter, http://www.rlgsc.com