Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

S_BTCH_ADM and SM37 Issue

Former Member

‎12-12-2008 11:45 AM

0 Kudos

We have a requirement wherein certain jobs (cheque printing) have to be printed and spool deleted immediately.

for this some users have been given and S_BTCH_ADM=Y (jobs get class A) and S_BTCH_JOB = DELE,RELE,SHOW,PROT.

We need to restrict S_BTCH_ADM to Basis team for compliance purpose. Any suggestions for the same?

can we use S_BTCH_NAM (value = one generic id having s_btch_adm, instead of all users in the group). or some other way to get this done.

Also, SM37 is given to all users, is this ok?

Please Help.

4 REPLIES 4

Former Member

‎12-12-2008 12:11 PM

0 Kudos

> We need to restrict S_BTCH_ADM to Basis team for compliance purpose. Any suggestions for the same?

Without doubt this authorization should remain with the administrators

All users can schedule, cancel, delete, and check the status of their own jobs with no additional special authorizations.

>can we use S_BTCH_NAM (value = one generic id having s_btch_adm, instead of all users in the group). or some other way to get this done.

It is recommended that you define specific users for background processing. Define them as system users (non-dialog)(no pwd reset required). The user IDs created should have only the authorizations required for the background jobs they need to run.

>SM37 is given to all users, is this ok?

Users can have access to transaction SM37 to monitor jobs, provided security is set up correctly. I.e. the users should be able to se their own jobs only and not others. So, no access to S_BTCH_ADM or

S_BTCH_NAM.

Former Member

‎12-12-2008 1:51 PM

0 Kudos

S_BTCH_ADM = N

We had a problem like this in my company.

With the Value N the user can only work with their own jobs with the combination of activities from S_BTCH_JOB.

Former Member

‎12-12-2008 5:33 PM

0 Kudos

> 

> We have a requirement wherein certain jobs (cheque printing) have to be printed and spool deleted immediately.

Adding to Iyer's suggestion of creating a System user for this task, to have the spool deleted and printed immediately, in SU01 -> Default Tab -> Check both " Output Immediately" and " Delete After output". Then i guess your this "system" user doesn't need batch administration authorizations.

Cheers !!

Zaheer

Former Member

‎12-12-2008 6:18 PM

0 Kudos

> 

> We have a requirement wherein certain jobs (cheque printing) have to be printed and spool deleted immediately. 
> 
> for this some users have been given and  S_BTCH_ADM=Y (jobs get class A) and S_BTCH_JOB = DELE,RELE,SHOW,PROT.
> 
> We need to restrict S_BTCH_ADM to Basis team for compliance purpose. Any suggestions for the same?
> can we use S_BTCH_NAM (value = one generic id having s_btch_adm, instead of all users in the group). or some other way to get this done.
> 
> 
> Also, SM37 is given to all users, is this ok?
> 
> Please Help.

I like to add the following (different approach to resolve your issue):

This is what we are doing based on our business requirements. We are authorizing SM37 for a few administrators & support people but they could only view reports on their respective areas. Our main restriction is more on the report, so if a check run or sensitive reports are spooled they can only be viewed by authorized people. We are using S_SPO_ACT (SPOAUTH), it actually works pretty good. Let me know if you need more details on this auth object.

Good Luck.

Edited by: John Navarro on Dec 12, 2008 7:20 PM