We have a job which runs OK in foreground but when defined in background.
It failed and the log said it is an authorization problem. Unlike a
foreground job which we can always run SU53 after the execution to get
which auth is needed, the log of the background job didn't tell more
detail other than "it is an auth problem". Pls help us with this. is
there a way to find out what is the exactly reason after a background job
failed because of authorization?

thanks.

Answer:
Several solutions:
1) Copy the batch user to a dialogue user, then logon and run the job. You will then have your error online and maybe the SU53 you are looking for.
2) Check S_PROGRAM value for the batch user. Maje sure the batch user has activity BTCSUBMIT for the program auth group. Have you checked the job log in SM37?? You can usually drill-down to see some type of error. Common errors are S_PROGRAM and S_DATASET authotizations' missing.

Answer:
You can also run an authorization trace from ST01 for the "job step executor" (the background user) -- not the batch job scheduler, unless if they're run by the same people.

Also -- make sure you run ST01 on the exact application server the batch job is running to capture the trace.

Answer:
Tried to run the job online, it went through w/o problem.

Tried it in background again, failed with same authorization problem.

Does this make sense for you guys? Should running online and running in background have the same authorization check?

I need some opinions about following issue:

We have some jobs who have to be done every day. So, these jobs are planned every morning. The jobs are backgroundjobs and [b]one[/b] system user runs [b]all the jobs[/b]. Therefore, this system user has a SAP_ALL.
A system user can't login on a normal basis but I don't feel well with the SAP_ALL.

I have the idea to split this user in several system users, with a big profile of the module which need some background jobs. (HR-user for HR-backgroundjobs, FI-user for FI-backgroundjobs,...)

Is this realistic or is there an other solution? Maybe our situation at this moment isn't so bad as I think???
Can someone help me?

Thanks in advance!
Bart

Answer:
It's perfectly feasible to split them by function or module.

For non-sensitive stuff I generally have a user e.g. FIBATCH with auths to cover what's needed. It takes a bit more work to set up but helps keep things arranged in an orderly manner.

Answer:
I’ve been through audits in the past where they have been satisfied with the background user having SAP_ALL as long as you have tightly controlled who can actually schedule jobs etc against that ID.

Answer:
I’ve been through audits in the past where they have been satisfied with the background user having SAP_ALL as long as you have tightly controlled who can actually schedule jobs etc against that ID.

Its all about risk. System users can also be used as communications users and there are some tricks that could allow someone to abuse a systems user in an RFC call. (They involve a kind of password hack). If you restrict the authority of the systems user you can diminish the opportunity for abuse.

You also have to be very restrictive about authority for S_BTCH_NAM.
_________________
bwSecurity

Answer:
I’ve been through audits in the past where they have been satisfied with the background user having SAP_ALL as long as you have tightly controlled who can actually schedule jobs etc against that ID.
When I perform audits I prefer not to see the ID with SAP_ALL - as there are plenty of ways it can be misused if the required restrictions are not in place.

If you do want to use one user, at least use a chopped down version of SAP_ALL with some of the more sensitive auths removed or very tightly controlled to grant what specifically is used.

What is the general practice for running Background jobs? Under the individual's user ID or one generic ID which has wide authorisations?

If it is run under the individual ID, then how is it handled when the person leaves the company?

What are the pro's and con's of running it under one generic ID?

Thank you
Jaynick
_________________
SAP Rules!!!

Answer:
We make sure that all background jobs are scheduled against a background user. This way we ensure that there is sufficient access to complete the job without having to give the individual users the same level of access. At the same time we can lock leavers and inactive users without being concerned of jobs falling over

To do this, you need to make sure that only a limited number of people can schedule batchjobs against the background ID. If not, you risk people obtaining access they should not have.

You can also ensure that the jobs won't have a negative performance impact on the system, as they will be scheduled with the right parameters.

Hope it helps

Answer:
If you currently allow users to create background jobs, checking for jobs scheduled for a particular ID should be a standard part of user decomissioning.

Answer:
Thanks Henrik! Any other input from SAP fans as to what the general practice out in the world is?

Jaynick

Answer:
I have a question about this also. I understood that a Basis admin could schedule background jobs to run under the userid of a system user, so that the system user (non dialog) could be granted broad authorizations, and not the dialog user, and also no maintenance is required if basis admin leaves the company.

I know that there are a few things that will require that the basis admin who schedules the background job to run under the auths of the system user id, also have the authorizations in his/her role also, or they will not be allowed to schedule it to run under the system id, even if the system id has the auths. Which is an understandable security measure. But these are only for a few things like os command and program execution considered critical, and not like broad business applications which the admin would not have in his admin role, and yet there is no problem scheduling jobs under the system id which does process business application jobs.

I have been told by some that they needed to create a generic dialog user like "JOBSCHEDULER" and use it to schedule jobs. I don't understand why they need to do this. Can anyone tell me why there would be a technical problem if they simply used their own id to schedule these jobs to run under the authorizations of the system id set up for this purpose?
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net

Answer:
Hi Gary,

Do you mean that the job admin is a generic account? That makes the connection between the dialog user ID and the name of the background user in which the job step is running even more obscure...

The belief that SOD conflicts between dialog users with S_BTCH_NAM = 'BATCHUSER' and the authorizations of 'BATCHUSER' itself is bad enough!

If you mean the job steps running in the name of the generic account as a dialog user, I have observed some OSS notes on a related topic which you can find with a search on 'call transaction' (I was looking for something else). Some programs may call a transaction screen which is not a parameter transaction and requires dialog interaction - at least that is what I understood the notes to be describing.

If I find an example again, I will post it.

Noddy

Answer:
There are two types of background jobs:
1. Repetative Production scheduled jobs to support a business process.
2. Adhoc reporting in background to keep the dialog processes free for "real" work. ( transaction processing)

The repetative Production jobs should be formalized with a standard naming convention for the job name and scheduled by the Batch administrator at the appropriate time, generally on a basis person's id not a generic one as there is no accountability on a geeric ID. The batch admin will need sufficient access to create the job, not run the report if internal authorization is needed to run the report (generally S_BATCH_NAM and S_PROGRAM, plus the S_BTCH_ADM access is sufficient. This allows scheduling the jobs in ANY class to limit their run to a specific batch processes controled by basis), and the STEPS should be run under an ID setup as a batch ID for the specific module ( not a user and not the batch admin person), like BATCH_FIAR , BATCH_HR, BATCH_MM, BATCH_SEC, etc. the batch Ids (setting in SU01) should have broad functional module access, not all access.

Adhoc reporting SHOULD be encouraged to keep the dialog processes free to enter the data into the system that SAP was purchased for, entering sales orders, getting money, and paying bills, ALL more important tha a poorly defined batch job report.

The user should have access to schedule jobs but NOT S_BTCH_ADM, this then forces all the job into class C which allows basis to manage when and where batch jobs are run. Since the user is running a report in backgroung that they could run in foreground, the report SHOULD be part of their role and the report tied to the role menu and the access in the report granted. The job is then scheduled on the user' s ID and run under the user's ID.

Answer:
Thanks John, That is exactly what I have told others, but for some reason I did not understand, they were saying they had some kind of technical problem when using system admin IDs, instead of this generic one. I will try and narrow done exactly what it was. They understand that the job will not fail if the admin leaves if it is scheduled under a batch-id but they still want to use a generic dialog user to schedule all of the jobs under one batch id.

Will they encounter a technical problem if they schedule too many jobs under the same user? Will there ever be any difference in the performance of the background processing with the same user such as maybe some kind of wait time when the same system id is logging in for multiple jobs, whereas if the user ids were different it would not have waited? Or rfc trace files getting wierd error messages because the background user is trying to authenticate when it is not necessary such as wrong classification of the user id causes the kernel to handle the login in a way that it would not if the classification of the user type trying to connect was set to cpic instead of system etc..

Can someone tell me what the difference between backgroud processing and batch processing is. Also does the access to this function be limited.

I have a requrinment where they want everyone to have access to batch processing and just wanted to know how i should be handling this request.

Please help

Answer:
You have to get clarification from the requester. Most often Batch and background mean the same. There is a SAP useage which means Batch Data Communication ( BDC) that is sometimes refered to as Batch but most often refered to as BDC. Batch anf Background is controlles with S_BTCH_JOB and BDC is S_BDC_MONI. You need clarification fromt he requester.

Answer:
And if the user also has S_BTCH_ADM = Y and S_BTCH_NAM = DDIC (or *), then they can schedule the jobs, release, delete etc (as per S_BTCH_JOB actions permitted), but.. in the name of and with the authorizations of the other user names.

You can check with SUIM reports who can use your user account (for example) without having to know your password.

The myth that one cannot logon with a batch user is therefore true, because you don't need to logon with it...

Cheers,
Bob

Answer:
There is no myth about "loggin on to a Batch id" it does logon to run the batch job it just cannot be used in DIALOG mode. S_BTCH_NAM allows you to run a batch job using that users' access be it DDIC ( which should not have SAP_ALL) or any other id BATCH or DIALOG.

Answer:
There is no myth about "loggin on to a Batch id" it does logon to run the batch job it just cannot be used in DIALOG mode. S_BTCH_NAM allows you to run a batch job using that users' access be it DDIC ( which should not have SAP_ALL) or any other id BATCH or DIALOG.

It does logon, but unlike Communication users, the password is not critical for this login so you can change it. Like Communication users, one does not have to know what the password is... just access to see that someone once did and left it behind in the system. For Communication users one does not need to know the password either, but changing it, would make the access to the user more difficult.