have to make your own
That' s what we did.
For that (and other functions) we have (many versions of) a tiny c program that just spawns a (name hard coded!) command procedure.
This image has an ACL that limits access to holders of a specific identifier, and it is INSTALLed with the priv's needed for that function.
It is run from a menu that gets it entries from the various identifiers that specify which funtions/apllics a user is allowed.
Of course any error- & exit route is (subprocess-) LOGOUT, ie. UNpriv'd back into the menu.
This way we control exactly what certain users can and cannot do.
For example, at > 10K SYSUAF entries you DON'T want to maintain that by hand (and much less by GUI!!).
All personnel is loaded from the personnel system into SYSUAF automatically.
The Authorisation Group (which works 4-platform) have a menu that allows them to grant & revoke application identifiers to EXISTING personnel. Of course this is logged with all info that the auditors want to have on it (like who gave the order for it), AND they maintain a paper record of all requests.
People NOT from the personnel system (temporaty hired forces, supplier maintenance people etc) CAN be added (by a very limited number of people only), but only with expiration dates less than half a year into the future.
And of course we DON'T allow any interactive access to the system by any account that is not uniquely defined to be ONE and only ONE person.
We have also looked into various "one GUI, multi-platform" user-authorization tools, but we never found one that even remotely approached the granularity of control we want.
And after a rather short time most of the many people that have some form of these non-GUI menu's (usually in a terminal emulator window) are commenting at how must more pleasant it is to work WITHOUT having to access the mouse so often..
Jan
Don't rust yours pelled jacker to fine doll missed aches.
