I would try the following:
Create the account to be a captive, normal user (that is: non-SYSTEM) account, with normal default privileges and only those that are required in some actions, as authorized.
The procedure (actually a menu) would do a SET PRIV to elevated levels before the required action (no more than really needed) and revoke these privileges afterwards - no matter the outcome.
On exit (whatever way) the procedure would need to set the /DISUSER flag of the account. Another approach is keeping the first login time of the script, and set the expiration date accordingly. You could do so in a (SYSTEM or GROUP) logical, that is deleted on logout after expiration.
Be sure this user has NO DCL access; all he does should be under full control of the procedure, and any escape should result in logout (that's what a captive account is meant for).
To reuse the account, someone that is able to chnage UAF records (using a similar captive account?) could allow him access for the next period.
Any file, touched by this account, should be secured for write access for any non-privileged user. You can do so by an ACL on identifier, and no access for non-holders.
If you require DCL access, it's a no-go. You cannot do without to prevent activities you do NOT want to be executed. Otherwise, this account should have no access to ANY file or resource unless explicitly allowed. Writing a DCL procedure that limits activities to the bare minimum required is less time consuming (and earier to maintain).
I have used such an approach in a development area to allow the (non-system) developers do some limietd system tasks they otherwise couldn't execute (except for the time limitation)
Willem Grooters
OpenVMS Developer & System Manager
