Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best practice - Manage background job users

Former Member

‎02-11-2010 1:25 AM

0 Kudos

Gate Keepers and Key Masters,

What is the best way to manage users who run background jobs?

For example currently we have a special system user with SAP_ALL that is only used to schedule jobs with. and we manage who has authorization to schedule jobs.

We are told that this is not the best way to go about it and that we have to remove SAP_ALL from that user. I don't see a very good way to eliminate SAP_ALL profile, short of analyzing every single batch job that is already scheduled, and creating or assigning existing roles for each job or step. Even that doesn't guarantee that authorizations given to my batch user would be enough to run any jobs that may be scheduled in the future.

Can you give me any pointers on how to address this problem.

Thanks

Matt

3 REPLIES 3

Former Member

‎02-11-2010 3:32 AM

0 Kudos

Hi Matt,

You can control the access of user's working on background jobs by putting control on objects such as S_BTCH_JOB, S_BTCH_NAM, S_BTCH_ADM.

Search with these objects in the same forum to pull out the details, also you can refer to the help.sap link :

http://help.sap.com/saphelp_nw04/helpdata/EN/86/f7f3393bef4604e10000000a11402f/frameset.htm

Let us know if you need any more information on this.

Private_Member_119218
Active Participant

‎02-11-2010 6:43 AM

0 Kudos

(1) Manage access to the batch user via authorization object S_BTCH_NAM. Set value of BTCUNAME to batch user's username. Only users that have authorizations for this object with the appropriate value will be able to schedule jobs with the batch user.

(2) Eventually create several application area-specific batch users who are not all-powerful, and assign your regular users authorizations for those. This will appease your auditors. This will take some work, but that's what you're being paid for.

Logically, users should not be able to schedule anything in the background that they would not have sufficient authorizations to execute in dialog mode. Only exception I can think of is that you do not want your background jobs to start failing when the user who they are scheduled with is removed from the system for any reason. That would be a Bad Thing.

Enjoy!

andrea_brusarestelletti
Active Contributor

‎02-11-2010 11:58 AM

0 Kudos

Hello,

as a matter of fact the cleanest way is giving to the backgroud job's user only the authorizations to perform programs and steps he have to.

Usually auditors allows keeping SAP_ALL for system users.

However, a work-aroud could be the creation of a special role, containing authorization to do "almost everything". You should run transaction PFCG, enter the name of the role, save, then go straightly to the tab "Authorizations" and press the button "Change authorization data". In the pop-up screen "Choose template" choose "Do not select templates"; then follow the scroll-down menu path "Edit --> Insert authorization(s) --> Full authorization". Then go to the push-button "Organizational levels" and press the push-button "Full authorization". If you want you can refine this role, removing some critical authorization object such as, for instance, S_USER_*, or others like that. Then you can assign this role to the background user.

Hope to be useful.

Best regards,

Andrea