12-12-2008 11:45 AM
We have a requirement wherein certain jobs (cheque printing) have to be printed and spool deleted immediately.
for this some users have been given and S_BTCH_ADM=Y (jobs get class A) and S_BTCH_JOB = DELE,RELE,SHOW,PROT.
We need to restrict S_BTCH_ADM to Basis team for compliance purpose. Any suggestions for the same?
can we use S_BTCH_NAM (value = one generic id having s_btch_adm, instead of all users in the group). or some other way to get this done.
Also, SM37 is given to all users, is this ok?
Please Help.
12-12-2008 12:11 PM
> We need to restrict S_BTCH_ADM to Basis team for compliance purpose. Any suggestions for the same?
Without doubt this authorization should remain with the administrators
All users can schedule, cancel, delete, and check the status of their own jobs with no additional special authorizations.
>can we use S_BTCH_NAM (value = one generic id having s_btch_adm, instead of all users in the group). or some other way to get this done.
It is recommended that you define specific users for background processing. Define them as system users (non-dialog)(no pwd reset required). The user IDs created should have only the authorizations required for the background jobs they need to run.
>SM37 is given to all users, is this ok?
Users can have access to transaction SM37 to monitor jobs, provided security is set up correctly. I.e. the users should be able to se their own jobs only and not others. So, no access to S_BTCH_ADM or
S_BTCH_NAM.
12-12-2008 1:51 PM
S_BTCH_ADM = N
We had a problem like this in my company.
With the Value N the user can only work with their own jobs with the combination of activities from S_BTCH_JOB.
12-12-2008 5:33 PM
>
> We have a requirement wherein certain jobs (cheque printing) have to be printed and spool deleted immediately.
Adding to Iyer's suggestion of creating a System user for this task, to have the spool deleted and printed immediately, in SU01 -> Default Tab -> Check both " Output Immediately" and " Delete After output". Then i guess your this "system" user doesn't need batch administration authorizations.
Cheers !!
Zaheer
12-12-2008 6:18 PM
>
> We have a requirement wherein certain jobs (cheque printing) have to be printed and spool deleted immediately.
>
> for this some users have been given and S_BTCH_ADM=Y (jobs get class A) and S_BTCH_JOB = DELE,RELE,SHOW,PROT.
>
> We need to restrict S_BTCH_ADM to Basis team for compliance purpose. Any suggestions for the same?
> can we use S_BTCH_NAM (value = one generic id having s_btch_adm, instead of all users in the group). or some other way to get this done.
>
>
> Also, SM37 is given to all users, is this ok?
>
> Please Help.
I like to add the following (different approach to resolve your issue):
This is what we are doing based on our business requirements. We are authorizing SM37 for a few administrators & support people but they could only view reports on their respective areas. Our main restriction is more on the report, so if a check run or sensitive reports are spooled they can only be viewed by authorized people. We are using S_SPO_ACT (SPOAUTH), it actually works pretty good. Let me know if you need more details on this auth object.
Good Luck.
Edited by: John Navarro on Dec 12, 2008 7:20 PM