[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.
Arne Vajhøj
arne at vajhoej.dk
Mon Nov 7 21:48:58 EST 2016
On 11/7/2016 9:13 AM, Bob Gezelter wrote:
> On Monday, November 7, 2016 at 4:52:47 AM UTC-5, Joe wrote:
>> We have a set of application users who submit some application
>> batches on a specific user with the command SUBMIT/USER=APP$MGR. To
>> perform this, the application users are provided with CMKRNL
>> privilege. I notice at times some users use this privilege and
>> submit some jobs under SYSTEM user. What would be the best way to
>> restrict this? I'm thinking of a captive menu to get all the
>> required details and validate the user part and then submit in the
>> background, is this a good idea? Do we have any other option to
>> restrict this easily?
> Create a separate image that does the actual SUBMIT. That image is
> installed with the CMKRNL privilege.
>
> Thus, when the user invokes that image, they are able to do the
> SUBMIT/USER, but not otherwise. When I did this a while back for a
> client, I also imposed the requirement that the privileged program
> checked to see if the user held a Rights Identifier related to the
> Username that was being submitted. For additional security, protect
> the privileged image so that the User cannot even access it unless
> they hold a specific Rights Identifier.
>
> That protection scheme should satisfy most auditors.
I think many auditors would require logging as well.
Arne
More information about the Info-vax
mailing list