Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

authorizations for background user

Go to solution
Former Member

‎2009 Jul 09 6:32 PM

0 Likes
2,877

Hi everyone,

Is it ok to assign the user(system user) sap_all profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program in the background job.

Thanks.

Neha.

1 ACCEPTED SOLUTION
Read only

Go to solution
sdipanjan
Active Contributor

‎2009 Jul 09 7:19 PM

0 Likes
1,490

> Is it ok to assign the user(system user) sap_all profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program in the background job.

>

Hi Neha,

You don't need to provide SAP_ALL for any system user id for daily Business you create. And of course it is against Audit policies to provide such access to Background user. This user id should be of type System.

The authorizations for such user ids should be:

SBTCH_NAM Background Processing: Background User Name_

BTCUNAME = <respestive user name that are going to be authorized for Batch Job execution>

SBTCH_JOB Background Processing: Operations on Background Jobs_

JOBACTION = *

JOBGROUP = *

S_BTCH_ADM Background Processing: Background Administrator

This is required for the administrator administering background Jobs.

Also check the following note: Note 101146 - [Batch: authorization object S_BTCH_JOB, S_BTCH_NAM|https://service.sap.com/sap/support/notes/101146]

Also the user needs access to following Authorizations:

S_ADMI_FCD System Authorizations

S_CTS_ADMI Administration Functions in the Change and Transport System

S_LOG_COM Authorization to execute logical operating system commands

S_RZL_ADM CCMS: System Administration

Regards,

Dipanjan

Edited by: Dipanjan Sanpui on Jul 9, 2009 2:21 PM

3 REPLIES 3
Read only

Go to solution
Former Member

‎2009 Jul 09 7:19 PM

0 Likes
1,490

Hi Neha,

You are not suppose to assign sap_all profile to any user in any case in the Production environments. Its a SOX issue.

It is recommended to assign roles instead of profiles. You can create a customized role and then assign it to the

background system user. This customized role can be modified as per the requirement and audit policies.

Please go through the following link.

http://help.sap.com/saphelp_45b/helpdata/en/c4/3a7f6d505211d189550000e829fbbd/frameset.htm

Thanks,

Read only

Go to solution
sdipanjan
Active Contributor

‎2009 Jul 09 7:19 PM

0 Likes
1,491

> Is it ok to assign the user(system user) sap_all profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program in the background job.

>

Hi Neha,

You don't need to provide SAP_ALL for any system user id for daily Business you create. And of course it is against Audit policies to provide such access to Background user. This user id should be of type System.

The authorizations for such user ids should be:

SBTCH_NAM Background Processing: Background User Name_

BTCUNAME = <respestive user name that are going to be authorized for Batch Job execution>

SBTCH_JOB Background Processing: Operations on Background Jobs_

JOBACTION = *

JOBGROUP = *

S_BTCH_ADM Background Processing: Background Administrator

This is required for the administrator administering background Jobs.

Also check the following note: Note 101146 - [Batch: authorization object S_BTCH_JOB, S_BTCH_NAM|https://service.sap.com/sap/support/notes/101146]

Also the user needs access to following Authorizations:

S_ADMI_FCD System Authorizations

S_CTS_ADMI Administration Functions in the Change and Transport System

S_LOG_COM Authorization to execute logical operating system commands

S_RZL_ADM CCMS: System Administration

Regards,

Dipanjan

Edited by: Dipanjan Sanpui on Jul 9, 2009 2:21 PM

Read only

Go to solution
Former Member

‎2009 Jul 09 8:11 PM

0 Likes
1,490

The help.sap.com link is from the 45B release... it also only lists possible objects which the user might need - there is no "must have".

Best is to restrict their access to that which they do need and delete their passwords (unless they are also used in RFC with password based authentication) and protect them in an exclusive user group.

Some of the risks are mentioned here =>

If you comb the ABAP and scripting forums you will find more.

If they are opening connections to other external (file) systems and running or communicating with external programs, then you should take a look into restricting the REGINFO.dat file as well so that only known connections are protected.

Cheers,

Julius

Edited by: Julius Bussche on Jul 9, 2009 9:12 PM

46B -> 45B...