[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.

[VAXman- at SendSpamHere.ORG]

In article <nvrmrq$1f6s$1 at gioia.aioe.org>, Richard Maher <maher_rjSPAMLESS at hotmail.com> writes:
>On 07-Nov-16 5:52 PM, Joe wrote:
>> We have a set of application users who submit some application
>> batches on a specific user with the command SUBMIT/USER=APP$MGR. To
>> perform this, the application users are provided with CMKRNL
>> privilege. I notice at times some users use this privilege and submit
>> some jobs under SYSTEM user. What would be the best way to restrict
>> this? I'm thinking of a captive menu to get all the required details
>> and validate the user part and then submit in the background, is this
>> a good idea? Do we have any other option to restrict this easily?
>>
>
>What does the submitted command file do? What is the APP$MGR persona 
>used for?

Inquiring minds want to know!



>Could it be possible that a $persona_create/assume around the "just need 
>privilege for this bit" would suffice?

Stop making sense, Richard. ;)



>It may well be that your requirement is happy for jobs to queue up in 
>batch but a $persona_assume before a $creprc prc$m_detach and 
>loginout.exe does provide advantages.
>
>Either way as others have suggested install the image with CMRNL but be 
>aware that only trusted logical names may be required for DLLs etc,

Gee, why not just install SYS$SYSTEM:SUBMIT.EXE with privies?  :D :D :D

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.