06-22-2015 12:18 PM
Hi,
Anyone know if there’s a way to restrict user to not delete jobs? in test role, DELE is not used in S_BTCH_JOB / JOBACTION , but user can still delete jobs. The purpose with role is allow user to create, change and delete own jobs , but they shouldn’t be able to delete any other jobs.
Thanks and best regards
Pär
06-23-2015 10:49 AM
Hello Par,
If you just want the user to be able to delete his/her own jobs and not others, then its perfectly possible with the below settings
I tested it and it works fine. Let me know if this not what you are looking for.
Thanks,
Kalpana.
06-22-2015 1:40 PM
06-23-2015 7:12 AM
06-23-2015 8:44 AM
Hi Przemyslaw,
its there, but inactive. If I use that one, the role will be unique for the user ID I maintain there, right?
Br
Pär
06-23-2015 11:32 AM
06-23-2015 10:49 AM
Hello Par,
If you just want the user to be able to delete his/her own jobs and not others, then its perfectly possible with the below settings
I tested it and it works fine. Let me know if this not what you are looking for.
Thanks,
Kalpana.
06-23-2015 11:29 AM
from security point of view s_btch_nam shouldn't have * value.
I this case user can execute job as DDIC, SAP* or other highly privileged user.
06-23-2015 12:26 PM
I am not very good at scheduling the batch jobs especially with ABAP variants in the job steps. Can you help me understand how a user can execute the jobs as DDIC or SAP* in this case. I mean user only has SM36 access and when the user goes to Job selection and try to release any jobs or repeat scheduling the jobs under another user, it says that you can only copy/schedule your own jobs.
I tried creating the job by giving other user name during the job steps but the job created under my id ( id that I logged on with)
06-23-2015 12:46 PM
Hi Kalpana
Within SM36 when you define the job step there is a field for the User which it's executed under. Same applies under SM37 when you go to the steps for the job. You can edit and switch user to someone else
S_BTCH_NAM must be restricted (in most cases not assigned) any any accounts granted in this permission should be limited to the intended purpose of the user. That is, don't create a BATCH_USER with SAP_ALL unless you have centralised all batch processing to manage the risk of the access. If not, you have a risk whereby a user could schedule to run a job under the permissions of a system user for access they would not usually have.
S_BTCH_ADM not needed either (and there are more values than just Y now)
If you read the documentation on these objects you will get information to assist. Don't trust the system traces as failed checks are okay for some of these scenarios.
Regards
Colleen
06-24-2015 12:28 AM
Thanks Colleen,
So for this particular case, inactivating both the objects S_BTCH_NAM and S_BTCH_ADM will serve the purpose of allowing users to only create/change or delete their own jobs but we still have the risk that it allows the users to execute the programs that are not classified under any auth group.
06-29-2015 12:47 PM
Hi Kalpana
Step 1: Logon to one of your systems
Step 2: Go to transaction SU21
Step 3: Search for object S_BTCH_JOB
Step 4: Display object documentation
Have a look at what the documentation says... in particular the section under "A user WITHOUT ANY specific authorization for jobs may perform the following actions:"
Part of this is - what is the risk in user deleting their own job? Non-periodic jobs usually have an automatic cleanup after a few days by the system admin?
For all those trying to figure this out, try creating a role and user with transactions SMX or SM37 and none of the S_BTCH* objects. Test and see what the user can and cannot do. Then try to do some searching and reading of the documentation.
Regards
Colleen