What is the general practice for running Background jobs? Under the individual's user ID or one generic ID which has wide authorisations?
If it is run under the individual ID, then how is it handled when the person leaves the company?
What are the pro's and con's of running it under one generic ID?
Thank you
Jaynick
_________________
SAP Rules!!!
Answer:
We make sure that all background jobs are scheduled against a background user. This way we ensure that there is sufficient access to complete the job without having to give the individual users the same level of access. At the same time we can lock leavers and inactive users without being concerned of jobs falling over
To do this, you need to make sure that only a limited number of people can schedule batchjobs against the background ID. If not, you risk people obtaining access they should not have.
You can also ensure that the jobs won't have a negative performance impact on the system, as they will be scheduled with the right parameters.
Hope it helps
Answer:
If you currently allow users to create background jobs, checking for jobs scheduled for a particular ID should be a standard part of user decomissioning.
Answer:
Thanks Henrik! Any other input from SAP fans as to what the general practice out in the world is?
Jaynick
Answer:
I have a question about this also. I understood that a Basis admin could schedule background jobs to run under the userid of a system user, so that the system user (non dialog) could be granted broad authorizations, and not the dialog user, and also no maintenance is required if basis admin leaves the company.
I know that there are a few things that will require that the basis admin who schedules the background job to run under the auths of the system user id, also have the authorizations in his/her role also, or they will not be allowed to schedule it to run under the system id, even if the system id has the auths. Which is an understandable security measure. But these are only for a few things like os command and program execution considered critical, and not like broad business applications which the admin would not have in his admin role, and yet there is no problem scheduling jobs under the system id which does process business application jobs.
I have been told by some that they needed to create a generic dialog user like "JOBSCHEDULER" and use it to schedule jobs. I don't understand why they need to do this. Can anyone tell me why there would be a technical problem if they simply used their own id to schedule these jobs to run under the authorizations of the system id set up for this purpose?
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net
Answer:
Hi Gary,
Do you mean that the job admin is a generic account? That makes the connection between the dialog user ID and the name of the background user in which the job step is running even more obscure...
The belief that SOD conflicts between dialog users with S_BTCH_NAM = 'BATCHUSER' and the authorizations of 'BATCHUSER' itself is bad enough!
If you mean the job steps running in the name of the generic account as a dialog user, I have observed some OSS notes on a related topic which you can find with a search on 'call transaction' (I was looking for something else). Some programs may call a transaction screen which is not a parameter transaction and requires dialog interaction - at least that is what I understood the notes to be describing.
If I find an example again, I will post it.
Noddy
Answer:
There are two types of background jobs:
1. Repetative Production scheduled jobs to support a business process.
2. Adhoc reporting in background to keep the dialog processes free for "real" work. ( transaction processing)
The repetative Production jobs should be formalized with a standard naming convention for the job name and scheduled by the Batch administrator at the appropriate time, generally on a basis person's id not a generic one as there is no accountability on a geeric ID. The batch admin will need sufficient access to create the job, not run the report if internal authorization is needed to run the report (generally S_BATCH_NAM and S_PROGRAM, plus the S_BTCH_ADM access is sufficient. This allows scheduling the jobs in ANY class to limit their run to a specific batch processes controled by basis), and the STEPS should be run under an ID setup as a batch ID for the specific module ( not a user and not the batch admin person), like BATCH_FIAR , BATCH_HR, BATCH_MM, BATCH_SEC, etc. the batch Ids (setting in SU01) should have broad functional module access, not all access.
Adhoc reporting SHOULD be encouraged to keep the dialog processes free to enter the data into the system that SAP was purchased for, entering sales orders, getting money, and paying bills, ALL more important tha a poorly defined batch job report.
The user should have access to schedule jobs but NOT S_BTCH_ADM, this then forces all the job into class C which allows basis to manage when and where batch jobs are run. Since the user is running a report in backgroung that they could run in foreground, the report SHOULD be part of their role and the report tied to the role menu and the access in the report granted. The job is then scheduled on the user' s ID and run under the user's ID.
Answer:
Thanks John, That is exactly what I have told others, but for some reason I did not understand, they were saying they had some kind of technical problem when using system admin IDs, instead of this generic one. I will try and narrow done exactly what it was. They understand that the job will not fail if the admin leaves if it is scheduled under a batch-id but they still want to use a generic dialog user to schedule all of the jobs under one batch id.
Will they encounter a technical problem if they schedule too many jobs under the same user? Will there ever be any difference in the performance of the background processing with the same user such as maybe some kind of wait time when the same system id is logging in for multiple jobs, whereas if the user ids were different it would not have waited? Or rfc trace files getting wierd error messages because the background user is trying to authenticate when it is not necessary such as wrong classification of the user id causes the kernel to handle the login in a way that it would not if the classification of the user type trying to connect was set to cpic instead of system etc..
Subscribe to:
Post Comments (Atom)
Content
-
▼
2009
(154)
-
▼
March
(128)
- background job failed because of authorization
- Background Jobs
- background jobs via background users
- Background Processing VS Batch processing
- Deleting a scheduled Background job in SAP
- Schedule Manager
- how you can assign a Background work process as a ...
- How To Delete a Scheduled Job in sap
- Checking your program Background Job Status
- Availability Check on Quotation
- SD material Determination based on availability check
- Creating Multiple Materials in Material Determination
- Backward and Forward Scheduling
- SAP Authorization Concept
- SAP’s TCODE checks with the authorization tool
- Listing TCODE transactions used to view what users...
- Authorization Check
- SAP BASIS (BC) Authorization Concepts
- Unlocking a blocked admin user ID in an Oracle DB
- How to Check Missing Authorisation for User
- SAP Profile Generator tables
- Query About Tcode PFCG
- How To Compare The Roles
- Creating New User With Authorizations
- Introduction on Authorizations
- Troubleshooting authorization in SAP R/3
- Shortcut to create role with many reports /tcode
- check which authorisation objects are checked with...
- What are the Authorizations Required
- How do I go about creating an authorization group
- Frequently Asked Questions on Authorization
- What is an Authorisation Object?
- Create authorization object
- Creating an auth group and assigning a table
- creating authorization levels
- Creating Authorization profile
- creating custamizing autharization objects
- Creating new authorization object
- Creating New Organizational Levels
- S_TABU_LIN
- S_TABU_LIN set up as organizational level
- S_TCODE
- S_TCODE check after upgrade to 4.7
- s_tcode display only problem
- S_TCODE is not in change mode
- S_TCODE Lookup
- S_TCODE with * Value
- S_TRANSPRT versus S_CTS_ADMI
- S_USER_ALL
- SAP Auditor role/authorization
- SU53 Authorization Check
- Authorizations in sap
- System Administration: Authorization Concepts
- Authorization Checks
- Authorization Check
- What is authorization
- auth/new_buffering
- Auditing Information System AIS
- Interview Questions
- Audit
- Audit and/or Authorization maintenance tools
- Deletion of Vendor Consignment Records
- Archive DEFINITION
- Applying Hot Packages Using OSS Material free down...
- Audit Information System
- Emergency Role Firefighting
- The Alert Monitor CCMS
- Technical Basics: Data Supplier in CCMS
- Changing Properties and Method Assignments
- Alerts CCMS
- Monitoring Objects and Attributes CCMS
- MTE Classes and Attribute Groups ccms
- Methods CCMS
- Operating the Alert Monitor CCMS
- Tutorial for the Alert Monitor CCMS
- Start and Change Monitors CCMS
- Actions in the Alert Monitoring Tree CCMS
- Selecting Nodes in the Alert Monitoring Tree CCMS
- Elements of the Alert Monitor CCMS
- Monitor Sets CCMS
- Monitors CCMS
- Alert Monitoring Tree CCMS
- Elements of the Alert Monitoring Tree
- Properties of Monitoring Objects and Attributes
- General Properties of Monitoring Tree Elements CCMS
- Properties of Log Attributes CCMS
- Properties of Performance Attributes CCMS
- Properties of Status Attributes CCMS
- Display Types and Views of the Alert Monitor CCMS
- Displaying the Technical View: Info on MTE
- Displaying the Technical View: Method Allocation
- Displaying the Technical View: Status Data Collector
- Displaying the Technical View: Status Autoreaction...
- Displaying the Technical View: Threshold Values CCMS
- Displaying the Technical View: Central Performance...
- Processing Alerts CCMS
- Starting Methods CCMS
- Completing Alerts CCMS
- Automatically Complete Alerts CCMS
- Display Completed Alerts CCMS
-
▼
March
(128)
0 comments:
Post a Comment