<<I've been racking my brains trying to figure out a way of putting
certain groups in our development account off-limits.  I'm trying to set
up source control procedures, such that the original files are kept in
the "secure" groups.  Scripts will be used to control taking files out of
the groups to edit & saving changed or new files into the groups.  I
would like to be able to prevent any programmer from easily bypassing the
system (this would be mainly due to laziness or forgetfulness).
  Specifically, I would like the "secure" groups to have read access
only, so that searches for strings and similar operations are possible,
and the scripts would be able to then retrieve from or save to those
groups.>>


"Secure groups" might be pretty tough, especially in light of your
following comment. If you put the groups to be controlled in another
account, you'll have better luck restricting write access. You could then
use "get", "checkin" and "checkout" scripts to build and execute job
streams that copy/move the files into/out of the controlled
group/account.

<<All our programmers have AM capability, we have the Vesoft trilogy
(MPEX, Security & Veaudit) and are on MPE/iX 5.5.>>


Any particular reason why? I can see developer's needing things like PM,
OP and PH, but I can't think of a good reason offhand why an entire group
would need AM to perform development activities. Maybe you have some
custom software package that requires it? AM allows a user to override
almost any account-level security controls you can put in place anyway.

<<Anyone got any hints or ideas?  I don't think we need to buy a
full-blown source control package.>>


Although, if you invest too many programmer hours in developing and
testing scripts, job files, and permission structures, you'll have spent
more than it would have cost to buy an SCS up front. Especially if you
try to do versioning manually.

Steve