Picking up Mark's idea...
>Why not give them a jobstream, running under MANAGER.SYS or OPERATOR.SYS
>which resides in a group in the SYS Account. You could protect the group by
>limiting them to Execute Access only. All they can do is STREAM the job,
>they can't PRINT it to see the passwords..
As of MPE/iX 5.5 you might even use the JOBSECURITY PASSEXEMPT=XACCESS
feature and define the eXecute (i.e. stream) permission via an ACD like
:ALTSEC backupj.somegrp.SYS; NEWACD=(X:user.acct)
This should allow user.acct to stream the backup job (without any need to
embed passwords in the job or have user.acct knowing them) while not allowing
them to view or modify the job stream.
You might create one backup job for each client and setup individual ACD's
for each of them (assuming different user.acct for each client) to isolate
the clients from each other.
Lars.