Since your users are streaming jobs themselves "from a menu", why not just
replace the hard-coded username "PRINTER" with !HPUSER, as in
!job myreport,!hpuser.!hpaccount;blah blah
after which they'll own their own spoofles anyway, so you can simply remove
OP from them.
> -----Original Message-----
> From: Emerson, Tom # El Monte [mailto:[log in to unmask]]
> Sent: Tuesday, October 10, 2000 11:16 AM
> To: [log in to unmask]
> Subject: Re: Security Issue
>
>
> I think you just missed the thread, but I believe this is the
> purpose of the
> "associate" command (well, at least to control the spoolfile
> device, don't
> remember offhand if this allows "previewing" the file)
>
> a <plug>ed solution would be MPEX combined with Security/3000
> -- see the
> discussion on "withcaps" in their manuals for the full
> details, but the gist
> of it is that you can create a "secure" command file that
> executes commands
> in excess of the user's normal capabilities. Presumably, the
> command file
> checks "other criteria" before executing the command -- in
> your case it
> would be to check that the spoolfile being printed/viewed is
> "proper" for
> the user </plug>
>
> [oh, and "plug" or not, VEsoft's manuals & white papers point
> out the true
> danger of "OP" capability -- the ability to retrieve ANY
> hardcoded password
> in a jobstream, for example...]
>
> > -----Original Message-----
> > From: Larry Barnes [mailto:[log in to unmask]]
> > Sent: Tuesday, October 10, 2000 10:10 AM
> > To: [log in to unmask]
> > Subject: [HP3000-L] Security Issue
> >
> >
> > In the past, before my time, we have created users who are given the
> > "OP" capability so they can view spoolfiles. These users logon as
> > themselves and certain reports they request (thru menus)
> > logon as a job
> > with a default user called "printer". The "OP" cap gives them the
> > ability to see when their spoolfiles are ready, and to either
> > print them
> > or copy them to a disc file for exporting into a spreadsheet.
> > The problem is when you give a user "OP" they can view all
> > spoolfiles in
> > all accounts, plus do other damage.
> > My question is, is there a capability on the system that
> will allow a
> > user to view all spoolfiles in their logon account with out
> > giving them
> > "OP" or "AM" capability?
> >
> > --
> > Larry Barnes
> > Director of I.T.
> > Mitek Corp.
> > 602-438-4545 x1366
> > Phoenix, AZ 85040
> >
> > Check Us Out !
> > http://www.mitekcorp.com
> >
>
|