https://community.sap.com/t5/application-development-and-automation-discussions/authorizations-for-background-user/m-p/5861036#M1321463 <HTML><HEAD></HEAD><BODY><P>Hi Neha,</P><P></P><P>You are not suppose to assign sap_all profile to any user in any case in the Production environments. Its a SOX issue.</P><P>It is recommended to assign roles instead of profiles. You can create a customized role and then assign it to the</P><P>background system user. This customized role can be modified as per the requirement and audit policies.</P><P></P><P>Please go through the following link.</P><P></P><P><A href="http://help.sap.com/saphelp_45b/helpdata/en/c4/3a7f6d505211d189550000e829fbbd/frameset.htm" target="test_blank">http://help.sap.com/saphelp_45b/helpdata/en/c4/3a7f6d505211d189550000e829fbbd/frameset.htm</A></P><P></P><P>Thanks,</P></BODY></HTML> Thu, 09 Jul 2009 18:19:40 GMT Former Member 2009-07-09T18:19:40Z https://community.sap.com/t5/application-development-and-automation-discussions/authorizations-for-background-user/m-p/5861035#M1321462 <HTML><HEAD></HEAD><BODY><P>Hi everyone,</P><P> Is it ok to assign the user(system user) sap_all profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program in the background job.</P><P></P><P>Thanks.</P><P>Neha.</P></BODY></HTML> Thu, 09 Jul 2009 17:32:02 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorizations-for-background-user/m-p/5861035#M1321462 Former Member 2009-07-09T17:32:02Z https://community.sap.com/t5/application-development-and-automation-discussions/authorizations-for-background-user/m-p/5861036#M1321463 <HTML><HEAD></HEAD><BODY><P>Hi Neha,</P><P></P><P>You are not suppose to assign sap_all profile to any user in any case in the Production environments. Its a SOX issue.</P><P>It is recommended to assign roles instead of profiles. You can create a customized role and then assign it to the</P><P>background system user. This customized role can be modified as per the requirement and audit policies.</P><P></P><P>Please go through the following link.</P><P></P><P><A href="http://help.sap.com/saphelp_45b/helpdata/en/c4/3a7f6d505211d189550000e829fbbd/frameset.htm" target="test_blank">http://help.sap.com/saphelp_45b/helpdata/en/c4/3a7f6d505211d189550000e829fbbd/frameset.htm</A></P><P></P><P>Thanks,</P></BODY></HTML> Thu, 09 Jul 2009 18:19:40 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorizations-for-background-user/m-p/5861036#M1321463 Former Member 2009-07-09T18:19:40Z https://community.sap.com/t5/application-development-and-automation-discussions/authorizations-for-background-user/m-p/5861037#M1321464 <HTML><HEAD></HEAD><BODY><P>&gt; Is it ok to assign the user(system user) sap_all profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program in the background job.</P><P>&gt; </P><P></P><P>Hi Neha,</P><P>You don't need to provide SAP_ALL for any system user id for daily Business you create. And of course it is against Audit policies to provide such access to Background user. This user id should be of type <STRONG>System</STRONG>.</P><P>The authorizations for such user ids should be:</P><P></P><P><U>S</U>BTCH_NAM Background Processing: Background User Name_</P><P>BTCUNAME = &lt;respestive user name that are going to be authorized for Batch Job execution&gt;</P><P></P><P><U>S</U>BTCH_JOB Background Processing: Operations on Background Jobs_</P><P>JOBACTION = *</P><P>JOBGROUP = *</P><P></P><P>S_BTCH_ADM Background Processing: Background Administrator</P><P>This is required for the administrator administering background Jobs.</P><P></P><P>Also check the following note: Note 101146 - [Batch: authorization object S_BTCH_JOB, S_BTCH_NAM|https://service.sap.com/sap/support/notes/101146]</P><P></P><P><U>Also the user needs access to following Authorizations</U>:</P><P>S_ADMI_FCD System Authorizations</P><P>S_CTS_ADMI Administration Functions in the Change and Transport System</P><P>S_LOG_COM Authorization to execute logical operating system commands</P><P>S_RZL_ADM CCMS: System Administration</P><P></P><P></P><P>Regards,</P><P>Dipanjan</P><P></P><P>Edited by: Dipanjan Sanpui on Jul 9, 2009 2:21 PM</P></BODY></HTML> Thu, 09 Jul 2009 18:19:50 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorizations-for-background-user/m-p/5861037#M1321464 sdipanjan 2009-07-09T18:19:50Z https://community.sap.com/t5/application-development-and-automation-discussions/authorizations-for-background-user/m-p/5861038#M1321465 <HTML><HEAD></HEAD><BODY><P>The help.sap.com link is from the 45B release... it also only lists possible objects which the user might need - there is no "must have".</P><P></P><P>Best is to restrict their access to that which they do need and delete their passwords (unless they are also used in RFC with password based authentication) and protect them in an exclusive user group.</P><P></P><P>Some of the risks are mentioned here =&gt; <SPAN __jive_macro_name="thread" id="458291"></SPAN></P><P></P><P>If you comb the ABAP and scripting forums you will find more.</P><P></P><P>If they are opening connections to other external (file) systems and running or communicating with external programs, then you should take a look into restricting the REGINFO.dat file as well so that only known connections are protected.</P><P></P><P>Cheers,</P><P>Julius</P><P></P><P>Edited by: Julius Bussche on Jul 9, 2009 9:12 PM</P><P>46B -&gt; 45B...</P></BODY></HTML> Thu, 09 Jul 2009 19:11:42 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorizations-for-background-user/m-p/5861038#M1321465 Former Member 2009-07-09T19:11:42Z