Thanks. I have looked at all that and found nothing. I did a search for notes as well but saw nothing that addressed this particular request. We were trying to avoid a customization from SAP. I would be interested to know if you find anything

Hi there,

If I do, then I will share it here.

Cheers,

Julius

PS: Unfortunately I killed my lab system earlier (one of those: "What happens if I click here when logged on with SAP_ALL?" things, which could happen to anybody who clicks around too much with too much access) and in our other systems I cannot debug the screen to look for options - so it will not be before Friday by the looks of it.

Okay, I found something which might be a starting point, but from what I can tell it does more than what you want to the start condition screen and will prevent the release of the job as well. I can however not test it.

Check SAP note 568963.

Idea: Perhaps if you activated the wizard and then only modified the wizard check result after it has changed the screen, then this would be less intrusive on the system, if you are considering a modification anyway.

If you anyway don't let users release their own jobs (S_BTCH_JOB) unless they are the dedicated batch admins (S_BTCH_ADM) then it might work "as is". But that is a tough one and very unlikely if you have many users or a BW.

Cheers,

Julius

> Check SAP note 568963.

>

> Idea: Perhaps if you activated the wizard and then only modified the wizard check result after it has changed the screen, then this would be less intrusive on the system, if you are considering a modification anyway.

I tried this out in combinations with various authorities for S_BTCH_JOB, but could not get it to work

I would recommend opening a customer message via service.sap.com (perhaps we are just not aware of the solution?), failing which consider a development suggestion. I might be able to help you there.

Cheers,

Julius

Any more updates on restriction to SM37? I'm very interested on the solution. Just giving it a bump and hopefully somebody had done a successful restriction of SM37 for job names or background user names.

The user name you can control via S_BTCH_NAM if they have the correct access, but I have not heard anything further about S_BTCH_JOB.

There are a number of threads revolving around this and related topics already (though some are misunderstandings IMHO) so perhaps we should suggest it SAP.

Formally, the route is SAP Note # 11 but I have mixed experiences with that, particularly when it gets a bit technical. But a change such as this might be intrusive on some other customers... so we should have our reasons and support for it backed up.

In the meantime, a check on scheduled (periodic) jobs before retiring user ID's is recommendable... as well as using tcode SMX instead of SM37 to observe their jobs.

@ others: Any more support for this? (please read it carefully!)

Cheers,

Julius

Other than the wizard for SM36 (which I could not get to work) I am not aware of a development.

I have added it to the [Security Wishlist Wiki|https://www.sdn.sap.com/irj/scn/wiki?path=/display/security/securityFunctionalityWishlist-Topics] which we created to track usefull ideas which come from discussions in the forum.

Cheers,

Julius

> maheshwer wrote:

> Hello,

>

> try t-code smxx

Won't work. The start conditions can be selected already at the "execute in background" stage. That is all over the place.

SMX (and SMXX) are very usefull for restricting users to displaying their own jobs though.

Cheers,

Julius

Please read the question and subsequent discussion again carefully...

Dear Julius,

Somehow I have missed the entire discussion that has happened and thought that i am the person to open the discussion. Later, after posting I have noticed it.

Anyways sorry for the confusion.

Regards,

No problem. I just wanted to point out the importance of reading the question carefully.

@ Lodewijk:

> Do you have any information if this list is actually read an acted upon by SAP Developers?

I know that SDN discussions have resulted in corrections and new features in the past. One is being processed at the moment as well, see

I dont think there is an obligation to act as these are not bug reports... but Kristian Lehment (from SAP Security Product Management) liked the wiki idea and commented that we should add more information so that developers can respond via the wiki with suggested solutions or ask for more insights. So it will take some time.

Generally with these functionality wishes, one needs to be patient. The main reasons are that they will typically be developed for new releases (some might even require a major release change to be implemented without disturbing backward compatibility with existing functionality which is also in the new release). To "backport" them to existing releases is also a tricky topic as the existing functionality is already being used "in the wild" and might also be included in existing BTC programs of customers.

I have watches set on the wikis, so will update the appropriate threads when SAP comments on them. My understanding is that SAP is thankfull to be able to tap into the "idea pool" of the SDN discussions so I think they will.

Also see SAP note # 11 - although I personally have not had much success via that route.

Cheers,

Julius

Edited by: Julius Bussche on May 1, 2009 10:05 PM

Please read the question again, more carefully and including the subsequent discusssion...

Cheers,

Julius

Hello,

we've got the same problem - we want to restrict users to execute only immediate jobs. Execution of periodic jobs or jobs in future. I described a few seconds ago in

Are there any news on this problem?

Regards,

Julia

None which I am aware of. Others are progressing (also in development stages) but this one has not attracted any comments yet. Feel free to add a comment to the wiki...

Anyway, most companies solve this using a procedure to check jobs before they retire a user ID, if that is the risk you are refering to.

Via transaction SMX (functionally it is display only) you can also prevent the user from making a change to the job..... if that is the risk you are refering to.

Have you tried the solution which I mentioned in the OSS note above?

Cheers,

Julius

Hello,

I did following example in SAP:

I created a role with just one authorization objekt: S_TCODE TCD=RSPFPAR.

With my testuser I executed this transaction. In field profile parameter I inserted auth/* and sent the transaction via program - Execution in background as a job in the background.

First the role needs authorization for S_SPO_DEV too - that's ok.

Then I checked: the job is in status "planned" in SM37.

Ok, User needs authorization object S_BTCH_JOB JOBGROUP=*;JOBACTION=RELE; too, so the job is released immediately. No other authorization objects are needed to execute a transaction in background.

Unfortunately the user can - while sending transaction into background - choose between options "immediate", "Date/Time", "After job", "After event", "at operation mode".

The note 568963, which is mentioned in this thread, concerns another problem: users without administration rights for background processing cannot specify a start condition. My testuser hasn't got administration rights and he can specify a start condition, when sending a process in the background with the described way.

So the problem is not the SM36, but the function that a lot of transaction bring with themselves.

Apart from that: I gave my testuser the transaction SM36 too without additional authorization objects and he can choose different start conditions too - without this btcoptions option. The users don't use the wizard.

Our problem is not, that there are aborted jobs, if an user leaves company. The problem isn't that users change jobs.

The problem is, that users can create jobs with start option in future or periodically. For jobmanagement there is a central job scheduling management system, which controls jobs. Of course a user should be able to send a transaction in background, which needs a lot of performance in dialog process. But he should only have option to release this job immediate.

Regards,

Julia

Edited by: Julia Bayrhammer on Dec 10, 2009 2:31 PM

To my knowledge no. But what is the risk if not immortalizing themselves in future jobs (you can check that as already described...) or intercepting the job to change it (use SMX)?

I can understand that your central batch admin team don't want to have to Release all enduser's jobs all the time. As a workaround you could schedule a periodic job for type C jobs to do it for them? Just a thought.

Cheers,

Julius

Julia

Have you found any solutions yet? We are in the same situation that you are in. We have a cental scheduling tool. We would like all periodic requests to run thru this tool. Yet we have users that will schedule an event to run hourly, daily etc. Even when we go delete the scheduled / released event in SM37- the user just creates it again. The only thing I can think of at this point is to develop custom code to go a delete items that are scheduled in the table TBTCS with one of the periodic fields containing an 'X'. We would have to run this program maybe every 15 mins or so to delete any new things that came into the schedule. Your input would be appreicated

Randee

Hello Randee,

we don't have a solution yet. I'm in contact with SAP. Perhaps there will be a possibility to integrate this job monitoring with the central job monitoring software. This could be a solution for especially this combination, but I'm still looking forward to a possiblity to solve this with authorization objects.

I will update and give feedback if we implemented a solution.

Regards,

Julia