[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.

[Joe]

On Monday, November 7, 2016 at 3:13:25 PM UTC+1, Bob Gezelter wrote:
> On Monday, November 7, 2016 at 4:52:47 AM UTC-5, Joe wrote:
> > We have a set of application users who submit some application batches on a specific user with the command SUBMIT/USER=APP$MGR. To perform this, the application users are provided with CMKRNL privilege. I notice at times some users use this privilege and submit some jobs under SYSTEM user. What would be the best way to restrict this? 
> > I'm thinking of a captive menu to get all the required details and validate the user part and then submit in the background, is this a good idea? 
> > Do we have any other option to restrict this easily?
> 
> Joe,
> 
> Create a separate image that does the actual SUBMIT. That image is installed with the CMKRNL privilege.
> 
> Thus, when the user invokes that image, they are able to do the SUBMIT/USER, but not otherwise. When I did this a while back for a client, I also imposed the requirement that the privileged program checked to see if the user held a Rights Identifier related to the Username that was being submitted. For additional security, protect the privileged image so that the User cannot even access it unless they hold a specific Rights Identifier.
> 
> That protection scheme should satisfy most auditors.
> 
> - Bob Gezelter, http://www.rlgsc.com

Many Thanks Bob and everyone for your inputs. 
I will try to create an image and install it with CMKRNL and then protect it with ACL's.