Question:
Hi all,
We have a SAP_ALL dialog ID that is used to run batch jobs. Due to SOX requirements, we have to restrict this ID. I'm wondering how other people handle this. Do you have one ID for batch jobs with all the access needed to run all the jobs - and update access whenever a new batch job has to be run? Do you have several IDs, maybe by area, which would mean the IDs would have less SODs than if there was one ID only?
Thanks for any input,
Mary
Answer:
This is always a difficult one. One way to go about is to create UID's per area and give these a collection of all enduser roles in that area, but be sure to test this as some batch jobs need wider access than "normal"users. SOD's on this kind of users is hard to avoid, consider control from the other site, look which jobs are to be run and see if you can find the proper autorisations by running them in foreground and trace them.
Answer:
We keep our batch user ID for this purpose as a System user - NOT dialog - with SAP_ALL, and this works fine. No need for this user to log on as it can be assigned as the user to run the job by anyone who has the S_BTCH_NAM object set with this ID. I know, I know .... the SOX police won't be happy about that either! But we persuaded them that it was OK as long as only a limited number of users, of sufficiently high responsibility level, had it. Worth a try?
_________________
Regards.
ib
_________________________________
SAPFans help those who help themselves !
Answer:
This one is a hard one --- and tedious. We ended up "cleaning" up these accounts --- those w/ SAP_ALL were removed, and we created roles for them w/ specific authorizations that they need.
Again, tedious. We had to run ST01 on them to find out exactly what they needed.
Some of them, however, require so many authorizations that what we ended-up doing was creating a role that is a copy of SAP_ALL and SAP_NEW, and removed some of the critical system authorizations. These generic accounts are also those that are 'not' diolog or service accounts. And, we also only allowed certain people to be able to schedule jobs under these accounts (S_BTCH_NAM). It is still noted in the audit report, but for now, they seem to be OK w/ it.