What is the general practice for running Background jobs? Under the individual's user ID or one generic ID which has wide authorisations?
If it is run under the individual ID, then how is it handled when the person leaves the company?
What are the pro's and con's of running it under one generic ID?
Thank you
Jaynick
_________________
SAP Rules!!!
Answer:
We make sure that all background jobs are scheduled against a background user. This way we ensure that there is sufficient access to complete the job without having to give the individual users the same level of access. At the same time we can lock leavers and inactive users without being concerned of jobs falling over
To do this, you need to make sure that only a limited number of people can schedule batchjobs against the background ID. If not, you risk people obtaining access they should not have.
You can also ensure that the jobs won't have a negative performance impact on the system, as they will be scheduled with the right parameters.
Hope it helps
Answer:
If you currently allow users to create background jobs, checking for jobs scheduled for a particular ID should be a standard part of user decomissioning.
Answer:
Thanks Henrik! Any other input from SAP fans as to what the general practice out in the world is?
Jaynick
Answer:
I have a question about this also. I understood that a Basis admin could schedule background jobs to run under the userid of a system user, so that the system user (non dialog) could be granted broad authorizations, and not the dialog user, and also no maintenance is required if basis admin leaves the company.
I know that there are a few things that will require that the basis admin who schedules the background job to run under the auths of the system user id, also have the authorizations in his/her role also, or they will not be allowed to schedule it to run under the system id, even if the system id has the auths. Which is an understandable security measure. But these are only for a few things like os command and program execution considered critical, and not like broad business applications which the admin would not have in his admin role, and yet there is no problem scheduling jobs under the system id which does process business application jobs.
I have been told by some that they needed to create a generic dialog user like "JOBSCHEDULER" and use it to schedule jobs. I don't understand why they need to do this. Can anyone tell me why there would be a technical problem if they simply used their own id to schedule these jobs to run under the authorizations of the system id set up for this purpose?
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net
Answer:
Hi Gary,
Do you mean that the job admin is a generic account? That makes the connection between the dialog user ID and the name of the background user in which the job step is running even more obscure...
The belief that SOD conflicts between dialog users with S_BTCH_NAM = 'BATCHUSER' and the authorizations of 'BATCHUSER' itself is bad enough!
If you mean the job steps running in the name of the generic account as a dialog user, I have observed some OSS notes on a related topic which you can find with a search on 'call transaction' (I was looking for something else). Some programs may call a transaction screen which is not a parameter transaction and requires dialog interaction - at least that is what I understood the notes to be describing.
If I find an example again, I will post it.
Noddy
Answer:
There are two types of background jobs:
1. Repetative Production scheduled jobs to support a business process.
2. Adhoc reporting in background to keep the dialog processes free for "real" work. ( transaction processing)
The repetative Production jobs should be formalized with a standard naming convention for the job name and scheduled by the Batch administrator at the appropriate time, generally on a basis person's id not a generic one as there is no accountability on a geeric ID. The batch admin will need sufficient access to create the job, not run the report if internal authorization is needed to run the report (generally S_BATCH_NAM and S_PROGRAM, plus the S_BTCH_ADM access is sufficient. This allows scheduling the jobs in ANY class to limit their run to a specific batch processes controled by basis), and the STEPS should be run under an ID setup as a batch ID for the specific module ( not a user and not the batch admin person), like BATCH_FIAR , BATCH_HR, BATCH_MM, BATCH_SEC, etc. the batch Ids (setting in SU01) should have broad functional module access, not all access.
Adhoc reporting SHOULD be encouraged to keep the dialog processes free to enter the data into the system that SAP was purchased for, entering sales orders, getting money, and paying bills, ALL more important tha a poorly defined batch job report.
The user should have access to schedule jobs but NOT S_BTCH_ADM, this then forces all the job into class C which allows basis to manage when and where batch jobs are run. Since the user is running a report in backgroung that they could run in foreground, the report SHOULD be part of their role and the report tied to the role menu and the access in the report granted. The job is then scheduled on the user' s ID and run under the user's ID.
Answer:
Thanks John, That is exactly what I have told others, but for some reason I did not understand, they were saying they had some kind of technical problem when using system admin IDs, instead of this generic one. I will try and narrow done exactly what it was. They understand that the job will not fail if the admin leaves if it is scheduled under a batch-id but they still want to use a generic dialog user to schedule all of the jobs under one batch id.
Will they encounter a technical problem if they schedule too many jobs under the same user? Will there ever be any difference in the performance of the background processing with the same user such as maybe some kind of wait time when the same system id is logging in for multiple jobs, whereas if the user ids were different it would not have waited? Or rfc trace files getting wierd error messages because the background user is trying to authenticate when it is not necessary such as wrong classification of the user id causes the kernel to handle the login in a way that it would not if the classification of the user type trying to connect was set to cpic instead of system etc..
Friday, February 13, 2009
Subscribe to:
Post Comments (Atom)
Archive
-
▼
2009
(74)
-
▼
February
(65)
- What database and operating systems are supported ...
- Cloning an SAP system
- Backups during upgrade
- Refreshing development system without losing syste...
- Methodology for creating indexes
- Determining the amount of data in a client
- Basic Knowledge and System Navigation Question
- SAP Background Job Administration
- background job failed because of authorization
- Background Jobs
- background jobs via background users
- Background Processing VS Batch processing
- Deleting a scheduled Background job
- Schedule Manager
- how you can assign a Background work process as a ...
- How To Delete a Scheduled Job
- Checking your program Background Job Status
- Availability Check on Quotation
- material Determination based on availability check
- Creating Multiple Materials in Material Determination
- Backward and Forward Scheduling
- Authorization Concept
- SAP’s TCODE checks with the authorization tool
- Listing TCODE transactions used to view what users...
- Authorization Check
- SAP BASIS (BC) Authorization Concepts
- Unlocking a blocked admin user ID in an Oracle DB
- How to Check Missing Authorisation for User
- SAP Profile Generator tables
- Query About Tcode PFCG
- How To Compare The Roles
- Creating New User With Authorizations
- Introduction on Authorizations
- Troubleshooting authorization in SAP R/3
- Shortcut to create role with many reports /tcode
- check which authorisation objects are checked with...
- What are the Authorizations Required
- How do I go about creating an authorization group?
- Frequently Asked Questions on Authorization
- What is an Authorisation Object?
- SAP Create authorization object
- SAP Creating an auth group and assigning a table
- SAP creating authorization levels
- SAP Creating Authorization profile
- SAP creating custamizing autharization objects
- SAP Creating new authorization object
- SAP Creating New Organizational Levels
- SAP S_TABU_LIN
- SAP S_TABU_LIN set up as organizational level
- SAP S_TCODE
- SAP S_TCODE check after upgrade to 4.7
- SAP s_tcode display only problem
- SAP S_TCODE is not in change mode
- SAP S_TCODE Lookup
- SAP S_TCODE with * Value
- SAp S_TRANSPRT versus S_CTS_ADMI
- SAP S_USER_ALL
- Auditor role/authorization
- SAP SU53 Authorization Check
- Authorizations
- System Administration: Authorization Concepts
- SAP Authorization Checks
- SAP Authorization Check
- What is authorization
- SAP auth/new_buffering
-
▼
February
(65)
Translation by Google
Subscription Free
Categories
- ABAP WORKFLOW
- Administration Faqs
- AIS - audit management preparation.sim
- AIS Implementation
- ALE
- ALE Scenario in SAP
- Alert Monitor(CCMS) in SAP
- Analyze Authorization
- Archive
- Archiving
- Auditing Information System
- Auth/new_buffering
- Authorization Concepts
- Authorizations Objects
- Availability Check
- Background Job
- Background Processing
- EDI and IDOCS
- Faqs
- Hot Packages
- Troubleshooting
No comments:
Post a Comment