Re: Processing Ideas Needed:

Chuck Aaron wrote:
I have a complex dcl command file that must be submitted under a particular
user id's priv's and process quotas...no exceptions.

On a web page, a selection can be added to a page to submit this command
file on demand from only (1) particular user id accessing the web page. However, this user must be to se;ect this option that will internally
> submit this command with /user=****** (the user that has all the priv's
> and proc quotas where the job must run).
The problem is, I don't want to give the user CMKRNL to be able to select the option which will submit the command with another /user= ******
> unless that will not create any security issues.

If I do not go the route of the CMKRNL priv's, what ideas might you have in mind that
once the user selects the option it will notify the privileged user to run the command file
manually. I'd like to automate this and make it the simplest way possible.

Several options have been given already, typically writing a custom image installed with privilege.

Much depends on what the "username" is that has to do the submit/user command and what security controls are in place for that user.

You can have a privileged task watch for a file to be created and then do the submit/user.

If you have DECNET installed, you can create a DECNET object that can be invoked as a user that is limited to doing your privileged task. This has the advantage that only DCL is needed.

I have been using DECNET objects to allow non-privileged build procedures test code that requires privileges with out giving the build procedures directly to upgrade their privileges.

-John
wb8tyw@xxxxxxx
Personal Opinion Only

.

Relevant Pages