S_BTCH_JOB, S_BTCH_NAM, S_BTCH_ADM Authorization objects Problems

No specific or particular reason can be outlined for the occurrence of authorization problems, however, there are specific solutions that have been outlined for each error type.

The values which exist for JOBACTION authorization can be explained as:

1. PLAN: This is not considered as an important value because one can schedule jobs   even in the absence of special authorization. This value should ALWAYS exist in a batch authorization because ABAPs check PLAN during the authority checks such as when scheduling backups using transaction DB13.

2. DELE: This value provides authorizations for deleting the jobs of the other users. One can delete his own jobs again without any special authorization.

3. LIST: This value is not used.

4. RELE: Using this value a user can release authorization for his own jobs. If a user has RELE authorization, then the jobs which have a start date (immediate start, date/time, event...) automatically receive “released” status when the data is saved by the user. The jobs remain in "Scheduled" status for the user who does not have RELE authorization. When the user tries to enter a start date, an error message is issued by the system which states that the user does not have release authorization. The jobs of the other users cannot be released.

5. SHOW: This value displays the job details, steps, and spool lists for jobs of other users. It works correctly when displaying the steps as of Release 4.0A only. A user must possess required spool authorizations for displaying the spool lists, regardless of the batch authorizations. The batch authorization SHOW allows a user to only call the spool request screen (transaction SP01).

6. PROT: This value provides authorizations for displaying the job logs. A user is able to display either all job logs or none. The system is not able to make differences between the own jobs of user and the other jobs.

Important Information: The system does not perform check for this action, as per the Support Packages specified in SAP 1672932.

An authorization for the object S_BTCH_ADM is required for more extensive operations for jobs. The field BTCADMIN (identification for the batch administrator) should possess the value as “Y” in this authorization. This is done for enabling all operations for any jobs across clients. As per the changes specified in SAP 1702113, S_BTCH_ADM object can be used by a user to restrict the authorization assignment in a precise manner.

Exception: For scheduling a job with an external program as a job step, S_RZL_ADM with 'ACTVT' = '01'' authorization is required by a user. Initially there was an error which could lead to a security breach wherein a user could copy a job with an external program as a job step without this authorization. The error was rectified with the help of Support packages and correctional methods which have been further explained.

S_BTCH_NAM is another important authorization object which is used in background processing. By using this, a user can run the steps of a job under a different user (see transaction SM36 "Edit -> Steps"). A user can enter some different name in the user field of a step, the only criteria to be followed is that the authorization for the object S_BTCH_NAM should be possessed by the job scheduler. The name of the step user must be contained in this authorization and the step user must exist in the same client as the job scheduler.

Exception: (up to Release 4.6B)

The step user should not be a CPIC user. A CPIC user is able to schedule the jobs only when the steps run under a different user ID because by default all steps belong to the job scheduler when a user schedules a job.

(as of Release 4.6C) The step user should essentially be of the type “Service", "System”, “Dialog” or “Batch”.