[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.
johnwallace4 at yahoo.co.uk
johnwallace4 at yahoo.co.uk
Tue Nov 8 05:36:45 EST 2016
On Tuesday, 8 November 2016 09:39:49 UTC, Roy Omond wrote:
> On 08/11/16 09:02, Joe wrote:
> > On Monday, November 7, 2016 at 3:13:25 PM UTC+1, Bob Gezelter wrote:
> >> On Monday, November 7, 2016 at 4:52:47 AM UTC-5, Joe wrote:
> >>> We have a set of application users who submit some application batches on a specific user with the command SUBMIT/USER=APP$MGR. To perform this, the application users are provided with CMKRNL privilege. I notice at times some users use this privilege and submit some jobs under SYSTEM user. What would be the best way to restrict this?
> >>> I'm thinking of a captive menu to get all the required details and validate the user part and then submit in the background, is this a good idea?
> >>> Do we have any other option to restrict this easily?
> >>
> >> Joe,
> >>
> >> Create a separate image that does the actual SUBMIT. That image is installed with the CMKRNL privilege.
> >>
> >> Thus, when the user invokes that image, they are able to do the SUBMIT/USER, but not otherwise. When I did this a while back for a client, I also imposed the requirement that the privileged program checked to see if the user held a Rights Identifier related to the Username that was being submitted. For additional security, protect the privileged image so that the User cannot even access it unless they hold a specific Rights Identifier.
> >>
> >> That protection scheme should satisfy most auditors.
> >>
> >> - Bob Gezelter, http://www.rlgsc.com
> >
> > Many Thanks Bob and everyone for your inputs.
> > I will try to create an image and install it with CMKRNL and then protect it with ACL's.
>
> A quick-n-easy way to start would be to copy SUBMIT.EXE to, say,
> XUBMIT.EXE, and add a suitable entry (use VERB to get the current SUBMIT
> command language definition, and edit accordingly) to
> DCLTABLES. Appropriate security setting can then be added to
> the image file (e.g. AUDIT entries for successful access etc. etc.)
Didn't somebody here recently mention some freeware called
JUMP which iirc already covers many of the requirements being
discussed here?
Name doesn't help me find it easily... pointers to recent info
very welcome.
More information about the Info-vax
mailing list