[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.

[Roy Omond]

On 08/11/16 09:02, Joe wrote:
> On Monday, November 7, 2016 at 3:13:25 PM UTC+1, Bob Gezelter wrote:
>> On Monday, November 7, 2016 at 4:52:47 AM UTC-5, Joe wrote:
>>> We have a set of application users who submit some application batches on a specific user with the command SUBMIT/USER=APP$MGR. To perform this, the application users are provided with CMKRNL privilege. I notice at times some users use this privilege and submit some jobs under SYSTEM user. What would be the best way to restrict this?
>>> I'm thinking of a captive menu to get all the required details and validate the user part and then submit in the background, is this a good idea?
>>> Do we have any other option to restrict this easily?
>>
>> Joe,
>>
>> Create a separate image that does the actual SUBMIT. That image is installed with the CMKRNL privilege.
>>
>> Thus, when the user invokes that image, they are able to do the SUBMIT/USER, but not otherwise. When I did this a while back for a client, I also imposed the requirement that the privileged program checked to see if the user held a Rights Identifier related to the Username that was being submitted. For additional security, protect the privileged image so that the User cannot even access it unless they hold a specific Rights Identifier.
>>
>> That protection scheme should satisfy most auditors.
>>
>> - Bob Gezelter, http://www.rlgsc.com
>
> Many Thanks Bob and everyone for your inputs.
> I will try to create an image and install it with CMKRNL and then protect it with ACL's.

A quick-n-easy way to start would be to copy SUBMIT.EXE to, say, 
XUBMIT.EXE, and add a suitable entry (use VERB to get the current SUBMIT 
command language definition, and edit accordingly) to
DCLTABLES.  Appropriate security setting can then be added to
the image file (e.g. AUDIT entries for successful access etc. etc.)