background jobs via background users


I need some opinions about following issue:

We have some jobs who have to be done every day. So, these jobs are planned every morning. The jobs are backgroundjobs and [b]one[/b] system user runs [b]all the jobs[/b]. Therefore, this system user has a SAP_ALL.
A system user can't login on a normal basis but I don't feel well with the SAP_ALL.

I have the idea to split this user in several system users, with a big profile of the module which need some background jobs. (HR-user for HR-backgroundjobs, FI-user for FI-backgroundjobs,...)

Is this realistic or is there an other solution? Maybe our situation at this moment isn't so bad as I think???
Can someone help me?

Thanks in advance!
Bart

Answer:
It's perfectly feasible to split them by function or module.

For non-sensitive stuff I generally have a user e.g. FIBATCH with auths to cover what's needed. It takes a bit more work to set up but helps keep things arranged in an orderly manner.

Answer:
I’ve been through audits in the past where they have been satisfied with the background user having SAP_ALL as long as you have tightly controlled who can actually schedule jobs etc against that ID.

Answer:
I’ve been through audits in the past where they have been satisfied with the background user having SAP_ALL as long as you have tightly controlled who can actually schedule jobs etc against that ID.

Its all about risk. System users can also be used as communications users and there are some tricks that could allow someone to abuse a systems user in an RFC call. (They involve a kind of password hack). If you restrict the authority of the systems user you can diminish the opportunity for abuse.

You also have to be very restrictive about authority for S_BTCH_NAM.
_________________
bwSecurity

Answer:
I’ve been through audits in the past where they have been satisfied with the background user having SAP_ALL as long as you have tightly controlled who can actually schedule jobs etc against that ID.
When I perform audits I prefer not to see the ID with SAP_ALL - as there are plenty of ways it can be misused if the required restrictions are not in place.

If you do want to use one user, at least use a chopped down version of SAP_ALL with some of the more sensitive auths removed or very tightly controlled to grant what specifically is used.

No comments:

topics