Roles and Authorizations Used in Background Processing

he roles provided contain authorizations.

The following predefined user roles are available:

  • SAP_BC_BATCH_ADMIN
    This role contains all authorizations for background processing administration, including the creation of background jobs and general administrations functions (SMxx transaction codes, in particular SM36, SM37, SM50, and SM51)

    Note that the administrator role includes operating system access due to the fact that the administrator can define operating system commands. For more information, see     Logical Operating System Commands in this Guide.

  • SAP_BC_ENDUSER
    This role contains non-critical basis authorizations for all users, including job creation and job release.

The table below shows the authorizations used in background processing:

Authorizations for Background Processing

Authorization Object

Fields

Value

Meaning

S_BTCH_JOB

JOBACTION

DELE

Delete other users jobs

LIST

(not used)

PROT

Display job logs belonging to other users

RELE

Release own jobs automatically

SHOW

Display other users job definitions

JOBGROUP

*

Reserved, set to *

S_BTCH_NAM

BTCUNAME

Authorized user when scheduling

S_BTCH_ADM

BTCADMIN

Y

User is batch administrator

N or empty

Restricted to jobs in current client

In addition, note the following:

· A user with batch administrator privileges can do anything with jobs in all clients (authorization object S_BTCH_ADM, field “batch administrator” set to “Y”). Without this authorization, users can only work on jobs in the client in which they are logged on.

· All users can schedule, cancel, delete, and check the status of their own jobs with no additional special authorizations. However, additional authorizations are needed for:

¡ Releasing one’s own batch jobs (S_BTCH_JOB: Action=RELE)

¡ Showing logs of all jobs (S_BTCH_JOB: Action=PROT)

¡ Assigning ABAP programs to a job step (S_PROGRAM)

¡ Assigning a different user to a job step (S_BTCH_NAM).

A user without batch administrator privileges is restricted to working with class C (low priority) jobs and to his or her own jobs in the client that he or she is logged on to.

· Authorizations that allow a user to delete jobs or display information belonging to other users are:

¡ Deleting the jobs belonging to other users (S_BTCH_JOB: Action=DELE)

¡ Display job definitions and spool lists belonging to other users (S_BTCH_JOB: Action=SHOW)

· For the execution of external commands within jobs, the user needs an authorization for the object S_LOG_COM.

For more information, see SAP Notes 28162 and 101146.

Leaving content frame

Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

topics