Oscar,
Given your requirements to return control to DCL, I know of no way to use protected subsystem identifiers, which have the effect of "granting an identifier to an image", much like privileges are granted to an image when it is installed with privs.
So, you could use $GRANTID/$REVOKID from an image installed with CMKRNL privilege to do what you originally asked (granting/revoking a dynamic id), or $GRANTID to turn off and on the noaccess attribute.
However, here's another possibility that may allow you to get the control you want, without all the hassle of writing a safe version of a program to be installed with CMKRNL privilege (which is an ALL class priv).
On Hunter Goatley's VMS freeware archives is a program, JUMP, which allows specified users to login to another username and have a logfile created. This is controlled by a text file that specifies what users can jump and to what username(s) they can jump to. It does this by creating a pseudo terminal (FT device), and then creating a process, and as such the user does not need to know the password of the account being jumped to; in fact the target username can have interactive access disabled in UAF and the account can still be used via JUMP. This is actually a useful attribute, as even if someone guesses the password, they will not be able to log into the account in the normal manner.
The idea would be to create a username for each role/real person and set this username up with the privileges/identifiers needed for the role. Then the user from their normal non-privileged account would jump to the role account to do the work, and logout when they were done with the role specific duties. A log file can be created that is inaccessible from the "jumped from" or "jumped to" users, given neither of those username has privileges that would allow them to see the files for another user, i.e. if they don't have SYSPRV (and are not a member of a UIC group <= MAXSYSGRP), READALL or BYPASS priv.
While this doesn't specifically answer your question about enabling/disabling dynamic identifiers, I think it would be a possible solution for your problem, with the side benefit of having the option to create a logfile of what was done while in the role, although that is not a requirement.
The downside is that you will need to have multiple accounts for your users. And from a user standpoint it isn't all happening from the same process, so things like command recall, process logicals and symbols, access to their own non-privileged directory (unless allowed either by ACL or privilege in the "jumped to" username.
We use it, and it works. I would recommend at least taking a look at it.
Example:
Non-Prived user | CM role username | Admin role username
TEST1 [26,253] | TEST1_CM [31,67] | TEST1_ADMIN [32,302]
Create JUMP_ACCESS identifier (when JUMP installed)
Grant JUMP_ACCCESS to TEST1
Add a line to JUMP_ACCESS.DAT file (which is protected)
test1 : test1_cm,test1_admin : sen!i # secure, exact, all notification, don't include log in mail
Now the user test1 can enter the command
$ jump test1_admin
and they will be logged into the test1_admin username with all its access rights, go through its login.com etc, And the session will be logged (secure) and when the session is complete a message will be sent to a specified jump administrator. Optionally (we don't do this) the complete logfile can be sent with the message.
Where to get JUMP:
ftp://ftp.process.com/vms-freeware/fileserv/jump.ziphttp://ftp.process.com/ftp/vms-freeware/fileserv/jump.zipGood luck,
Jon
it depends
