TMcB,
In this case "minimum required" is an oxymoron. Any of the ALL category privileges should do. According to the System Services Reference Manual, $SETUAI "You must have SYSPRV privilege to set passwords for any user account (including your own)."
Implementing such a mechanism, while protecting against unauthorised privilege amplification requires care, as it would be easy to leave loopholes open.
The simplest, and most obvious case - preventing your helpdesk operators from modifying the password of SYSTEM and thereby taking control of the system is but the tip of the iceberg.
Robert's example of DCL qualifier syntax hacking shows that knocking up a DCL script to feed AUTHORIZE has some unexpected pitfalls.
My recommendation would be a program to be installed with SYSPRV which uses $SETUAI and UAI$_PASSWORD. I'd protect the image with an ACL, filter the input username with both an INCLUDE list AND an EXCLUDE list (remember he program has SYSPRV, so the lists can be hidden), and audit every action, again to a protected file.
With appropriate table driven logic, you could define it so that a given user had a set of usernames they're allowed to modify.
A crucible of informative mistakes
