Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Sm36 - restrict user to only delete theirs own jobs

Former Member
0 Kudos

Hi,

Anyone know if there’s a way to restrict user to not delete jobs? in test role, DELE is not used in S_BTCH_JOB /  JOBACTION , but user  can still delete jobs.  The purpose with role is allow user to create, change and delete own jobs , but they shouldn’t be able to delete any other jobs.

Thanks and best regards

Pär

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hello Par,

If you just want the user to be able to delete his/her own jobs and not others, then its perfectly possible with the below settings

I tested it and it works fine. Let me know if this not what you are looking for.

Thanks,

Kalpana.

10 REPLIES 10

Former Member
0 Kudos

Private_Member_69416
Active Participant
0 Kudos

Hi

Don't you have S_BTCH_ADM  in this role too?

Regards

Przemek

0 Kudos

Hi Przemyslaw,

its there, but inactive. If I use that one, the role will be unique for the user ID I maintain there, right?


Br

Pär

0 Kudos

you think about s_btch_nam ?

Former Member
0 Kudos

Hello Par,

If you just want the user to be able to delete his/her own jobs and not others, then its perfectly possible with the below settings

I tested it and it works fine. Let me know if this not what you are looking for.

Thanks,

Kalpana.

0 Kudos

from security point of view s_btch_nam shouldn't have * value.

I this case user can execute job as DDIC, SAP* or other highly privileged user.

0 Kudos

I am not very good at scheduling the batch jobs especially with ABAP variants in the job steps. Can you help me understand how a user can execute the jobs as DDIC or SAP* in this case. I mean user only has SM36 access and when the user goes to Job selection and try to release any jobs or repeat scheduling the jobs under another user, it says that you can only copy/schedule your own jobs.

I tried creating the job by giving other user name during the job steps but the job created under my id ( id that I logged on with)

0 Kudos

Hi Kalpana

Within SM36 when you define the job step there is a field for the User which it's executed under. Same applies under SM37 when you go to the steps for the job. You can edit and switch user to someone else

S_BTCH_NAM must be restricted (in most cases not assigned) any any accounts granted in this permission should be limited to the intended purpose of the user. That is, don't create a BATCH_USER with SAP_ALL unless you have centralised all batch processing to manage the risk of the access. If not, you have a risk whereby a user could schedule to run a job under the permissions of a system user for access they would not usually have.

S_BTCH_ADM not needed either (and there are more values than just Y now)

If you read the documentation on these objects you will get information to assist. Don't trust the system traces as failed checks are okay for some of these scenarios.

Regards

Colleen

0 Kudos

Thanks Colleen,

So for this particular case, inactivating both the objects S_BTCH_NAM and S_BTCH_ADM will serve the purpose of allowing users to only create/change or delete their own jobs but  we still have the risk that it allows the users to execute the programs that are not classified under any auth group.

0 Kudos

Hi Kalpana

Step 1: Logon to one of your systems

Step 2: Go to transaction SU21

Step 3: Search for object S_BTCH_JOB

Step 4: Display object documentation

Have a look at what the documentation says... in particular the section under "A user WITHOUT ANY specific authorization for jobs may perform the following actions:"

Part of this is - what is the risk in user deleting their own job? Non-periodic jobs usually have an automatic cleanup after a few days by the system admin?

For all those trying to figure this out, try creating a role and user with transactions SMX or SM37 and none of the S_BTCH* objects. Test and see what the user can and cannot do. Then try to do some searching and reading of the documentation.

Regards

Colleen