Hi,

tried to mean executing batch job for other users?

Executing means = relasing the jobs - right?

The user needs the object S_BTCH_JOB with value RELE .This will allow them to release their scheduled background jobs automatically.

They would need S_BTCH_ADM in addition to the value above to Rele other users background jobs. So do not give them S_BTCH_ADM but only S_BTCH_JOB with RELE as the only other value necessary and they can perform all operations on their own background jobs including Releasing automatically.

S_BTCH_ADM : release other user jobs. Control access to jobs in all clients of a systme

Thanks,

Sri

Edited by: sri on Jul 30, 2010 1:35 AM

Edited by: sri on Jul 30, 2010 1:37 AM

Hi arpan,

However for executing other users batch job the object is S_SPO_ACT not S_BTCH_JOB?

Really, I thought S_SPO_ACT(SP01) is for access to spool and output requests of other users. Let see what other experts say

Thanks,

Sri

I agree with Sri here, S_BTCH_ADMN shud be granted with appropriate access - Yes or NO for user to perform administrative functions on jobs(belonging to himself or others).

S_BTCH_JOB is the object which defines user's access to his own batch job.

S_SPO_ACT - this object is for spool requests and as far as I can see,has got nothing to do with the requirement you have posted.

Please read up the documentation in SAP on these three objects and I guess you would have a better picture.

Soumya

Hi Arpan,

If your requirement is that only the users should be able to release their own jobs but not of others, then create a role with Authorization Object S_BTCH_JOB only with activities : LIST, PROT, RELE, SHOW. Do not assign Authorization Object S_BTCH_ADM with value Y as with this the user can execute background jobs of all clients of the system & for other users also. So just create a role with Authorization Object S_BTCH_JOB. It will work.

Authorization Object S_SPO_ACT is used check when user tries to access the spool request of another user. This object is not used for controlling batch jobs

Arpan,

if there are any other way by parameter/any other settings apart from security to restrict user from executing batch job for other users?

I understand confusion happens. S_BTCH_NAM : can be used to schedule jobs under a differnet user id. Never give * as this would allow the user to start btch under any user id.

Back to your question:

Batch job restriction thru parameters is not possible. But don know some one might come out with innovative idea. Lets wait.

Thanks,

Sri

Edited by: sri on Jul 30, 2010 4:51 AM

>

> The object for for other users is S_BTCH_NAM.

S_BTCH_NAM is used to enter himself as an authorized user when scheduling a job. If the value in this object is USER X and assigned to User Y, this USER X will be the authorized user for running the job in the background

Edited by: Siddhartha Varma on Jul 30, 2010 9:52 AM

I suppose, if you have the value '' for the field BTCUNAME in the object S_BTCH_NAM it should work the way you want. the user would be able to execute his/her own jobs........give it a try

Hi Shekhar,

I tried this once. S_BTCH_NAM is used to schedule jobs that will run under different username who has authorizations to run it. For example: User A wants to schedule a job but he does not have authroization to run that job & the job needs to run in Background specific user. If the user A has authorization for S_BTCH_NAM with value BACKGROUND in field BTCUNAME then the job is scheduled under the user ID BACKGROUND in the job step. You may also see the help on the Authorization Object S_BTCH_NAM

If the requirement is only that a user needs to release his own jobs, but not for other users job, then role with Authorization Object S_BTCH_JOB is mere sufficient with activity RELE. S_BTCH_ADM should not come into the picture in this scenario

Experts: Please correct me, if I am wrong

> S_BTCH_JOB is mere sufficient with activity RELE. S_BTCH_ADM should not come into the picture in this scenario

This is correct, but S_BTCH_ADM will appear in the ST01 trace because each S_BTCH_JOB check is subsequently checked for the stronger S_BTCH_ADM to "override" the possibly missing authority.

This will only work for the case described if the user does not have jobaction SHOW. In this case they cannot release the jobs of other users because they cannot see them... --> this is the task of the Batch job Administrator.

Cheers,

Julius

Thanks Julius for the additional info

Hi Arpan,

Please make the following changes in the role(s). This will fulfill your requirement.

Change the field valuest for object S_BTCH_ADM (Field BTCADMIN) Value should be changed from Y/blank to u2018Nu2019. This just prevents from managing jobs across clients.

Change the field value for object S_BTCH_NAM (Field BTCUNAME) Value has to be changed from blank to SY-UNAME. This will prevent a user from assigning.

Please get back to me if you still need my assistance.

Thanks,

Venugopal

I understand that S_BTCH_ADM with BTCADMIN=Y gives admin access but how about when BTCADMIN=*? Is this also batch admin access or no access?

I think " * " is YES OR NO ( which means its an or operation ) = YES

The AUTHORITY-CHECK is performance optimized.

It reaches "full authorization" (*) before it looks for 'X'.

It also looks in TOBJ_SAV, USOBX_C etc first...

It also reacts dependently on the results of checks.

Good coding validates the input and checks it against a permitted range for a domain. If your trace shows nonsense, then send it back to the development workbench.

Cheers,

Julius