S 4.265 Secure configuration of batch processing on SAP systems
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
When processing in the background (batch processing), the procedures (batch jobs) are generally executed automatically. In addition, it is possible to execute tasks according to a schedule. The following must be considered when configuring batch jobs:
- Batch jobs are controlled using transaction SM36. Only authorised batch administrators should have access to this transaction.
- The following authorisation objects can be used to administrate batch processing. The assignments of the authorisations are generally regulated in the authorisation concept.
- The version of the authorisation object S_BTCH_ADM using the value "Y" allows full access to the batch administration. It must be taken into account that there is no way to further restrict access. A user with this authorisation will always be able to execute all administration operations and only a few administrators (e.g. the batch administrator and his substitute) should be granted this authorisation.
- The version of the authorisation object S_BTCH_JOB using the value "LIST" allows a batch administrator to display the spool jobs generated by the batch jobs. Since these jobs contain the output data of the batch jobs, it must be decided in the framework of the authorisation concept under which circumstances this authorisation may be used and who is allowed to use it.
- Users can always create and manage their own jobs - without needing any special authorisations.
The following authorisation objects can be used for special operations that are not possible without the corresponding authorisation:- S_BTCH_JOB: Permits the following depending on the value specified:
- "DELE" value: Delete the jobs of other users
- "LIST" value: Display spool jobs
- "PROT" value: View job logs, even those of other users
- "SHOW" value: Display job details
- "RELE" value: Release the jobs of other users
Since batch jobs are processed automatically in the background, their execution generally goes unnoticed. The effects of unauthorised changes to batch processing may remain undetected for a long time for this reason. It is therefore necessary to assign these authorisations restrictively.
- S_BTCH_JOB: Permits the following depending on the value specified:
- S_BTCH_NAM: A user is allowed to execute batch jobs using the authorisations of another user. The user accounts under which the batch job is allowed to execute are specified in the authorisation. The assignment of this authorisation must be considered critical from a security perspective and should only be assigned to batch administrators, for example to allow batch jobs to run using technical user accounts.
- Background processing is generally executed using the authorisations of the user who created the batch job. The authorisations configured for the user generally apply to the batch job in this case.
- If batch jobs are executed using the authorisations of technical users, the authorisations of the technical users must be restricted. It is not recommended to assign the SAP_ALL profile to a technical batch user.
- Access to the batch processing administration should only be granted to authorised administrators.
- Batch processing may generate a high load on an SAP system. It is therefore necessary to decide whether normal users will be allowed to start batch jobs or whether the batch jobs must be scheduled and released by the batch administrator after the user has created the batch job.
References to SAP documentation on the subject of batch processing can be found in S 2.346 Use of the SAP documentation.
Review questions:
- Is access to transaction SM36 for controlling batch jobs only granted to authorised SAP administrators?
- Is full access to batch administration only granted to the necessary SAP administrators?
- Does the authorisation concept define which batch administrators are authorised to display the spool jobs generated by batch jobs?
- Are only batch administrators authorised to execute a batch job using the authorisations of another user?
- Is access to the batch processing administration only granted to authorised SAP administrators?