I want to revoke rights so users cannot schedule periodic jobs

Similar Messages

• Reg Super user for schedule background Jobs

  Hi Experts,
  I have created new user copied from DDIC with the same authorization. This is for scheduling Background Jobs. Now all the standard background Jobs are running fine. After scheduling the Jobs I have changed to system user. Now for audit purpose I need SAP note to do same. Please help me to get the sap note for the same. Please respond ASAP. treat this is as high priority.
  Thanks & Regards,
  Haseem.

  HI,
  It is not necessary for user having SAP_ALL authorization under which background job is running.
  Define specific users to use for background processing. Define them as system users (non-dialog) and give them only the necessary authorizations that are needed for the executed programs
  check  http://help.sap.com/saphelp_nw04/helpdata/en/db/f6f3393bef4604e10000000a11402f/frameset.htm
  also check Note 101146 - Batch: authorization object S_BTCH_JOB, S_BTCH_NAM
  regards,
  kaushal

• Cannot schedule the job at the time of AM when "multiple time a day"

  Dear all,
  I met this bug by the step below:
  1/ open the Data Services Management Console
  2/ select administrator.
  3/ select the batch repository and click the "batch job configuration"
  4/ select one job and select "add schedule".
  5/ I choose the "Multiple times a day"
  6/ and I select "AM" (default is PM)
  7/ click "apply"
  8/ I found that the time go back to "PM", which I have set into "AM".
  Cannot I set the time as "AM"? is it a bug ?or by design?
  Thanks.
  Jeff.

  what is the OS locale on which Management Console is running (tomcat) ? is it Japanese or Chinese
  there was a issue fixed in 11.7.3.9 and 12.2.0.0
  what is the version of DS you are using ?

• Restrict users from scheduling job

  Hi All,
     Now our users are able to schedule the job from SM37. By default I think the job is running on the main server and the performance of the system is effected badly.
    Is there any way we can restrict the users to schedule the job on a particular server and try to avoid them from scheduling the job on a particular server.
  Thanks.

  This can be done with a small work around.
  When you run a job what actually runs is the program which you set it as steps
  Now, set authorisation for that particular program so that only few users who are authorised can run the job.
  Now, while scheduling the job, in SM36 you can specify the target application server on which the job has to run..
  Hope it helps
  Thanks,
  Babu Kilari

• Allow users to execute Own Jobs ... Yes or no?

  Hello
  What do you guys recommend about allowing users tu schedule own jobs?
  I mean, a user can schedule a job by running a program in background mode and then schedule it as a job that he can later check in  SMX
  But, as Basis administrator  what´s your opinion  about letting users schedule jobs?
  Thank you
  Sergio

  Savas, Nathan
  Thank you for your answers .
  I agree with the second comment  of Savas, a basis consultant only will have the management of the jobs but will not always know what exactly the program does.
  My question is also about if it is convenient that a user can have the capability to schedule a program in background mode ( when a user run a program in background mode he/she can schedule that execution, and then he/she reviews the job  in Transaction SMX, correct me if I´m wrong)
  In this case the Basis admin is kinda blind  about how  many schedule jobs really are in the system
  Thanks!
  Sergio

• Schedules Error  - Job execution failed because the user who scheduled this

  Hi
  I wonder if anyone can help
  I have a report that I can deliver by email through the BI Publsiher front end without issue. However when I call the report to send by email through my oracle 11G Database, as the same BI User I get the following error message
  "oracle.apps.xdo.servlet.scheduler.ProcessingException: Job execution failed because the user who scheduled this job has no more permission or priviledge to run the job."
  Any suggestions?
  Thanks
  Kev

  The scheduler appears to be the culprit here so try the following:
  1. Open the [repository_home]/Admin/Scheduler/quartz-config.properties file
  2. Add the following entry:
  org.quartz.threadPool.threadsInheritContextClassLoaderOfInitializingThread=true
  3. Restart the environment (xmlpserver)
  4. Rerun the report via the scheduler

• User cannot change password option is automatically getting unchecked while giving domain admin rights

  user cannot change password option is automatically getting unchecked while giving domain admin rights

  Greetings!
  "Domain Admins" falls into the category of protected groups and it is included in ADminSDHolder process. It is normal and was designed in order to prevent the modification to these privileged groups. More information on the link below:
  AdminSDHolder, Protected Groups and SDPROP
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• User cannot access redirected Documents folder, but can connect to share in Windows Explorer and access folder on server

  I am in the final stages of a cross-forest migration.  Users have Windows 7 workstations with redirected folders on a Windows Server 2012 box running in the old forest.  User accounts were not migrated.  The accounts in use have always
  been in the "new" forest.  One of our challenges was the large volume of data in redirected folders.  I made sure users in the target forest had continued to have access to their redirected folders in the old forest and robocopied
  the entire users share, copying the permissions with the files.  By doing incremental robocopies, we can get a final copy done now in about six hours.  The plan was simple: copy the files, do an incremental copy every night, on the night of the cutover
  change the folder redirection policy Documents path from
  \\oldserver\users\%USERNAME% to
  \\newserver\users\%USERNAME%. The policy is configured to NOT copy user files from the existing folder to the new redirected folder.  Everything was going well until I tested the policy change.  After the folder redirection policy is updated
  and applied, the user cannot access the private Documents folder.  For example, user Chester Tester logs on as ctester.  I open Windows Explorer and click the Documents shortcut.  I see one subfolder, which is subfolder of Public Documents. 
  So I can look at Public Documents but when I click on the Documents folder (Under the Documents library link) I get an access denied error.  Now for the kicker, if I open another Windows Explorer window and edit the address bar to
  \\newserver\users\ctester, I can navigate the Documents folder tree and see my thousands of documents. What the ....?
  I'm hoping this is something really simple to fix!
  TIA

  HI Vivian,
  Thank you for your reply.  Yes, the path in Group Policy Folder Redirection Root Path was updated to
  \\NEWSERVER\users.  I had planned to point this to the distributed file system, so the first used was actually
  \\domain\dfs\users.  To simplify things I have backed off to copying to just a normal share
  \\newserver\users. 
  We are using BASIC folder redirection and we create a folder for each user under the root path. 
  We did not want the policy to move content, as we were seeing users requiring 15-20 minute logon times  (or higher) after the policy is changed.
  Grant the User exclusive right to Documents - Disabled
  Move the contents of Documents to the new location - Disabled
  Related folder settings
  Video - Follow Documents
  Music - Follow Documents
  Pictures - Follow Documents
  Now when I change the folder redirection from old server to new server I now have TWO My Documents folders in the user's redirection folder on the server.  The redirected Documents points to an empty folder set.  The copied folders with all user
  data are there, but folder redirection refuses to recognize the original folder.
  I am looking at the full view of the folder, nothing hidden, so I'm wondering how a folder can have two subfolders with the exact same name.  For now, I just want the redirection to move from the old server to the new server properly.  I deleted
  the new My Documents folder, rebooted the user's workstation and tried again.  The behavior repeats itself, i.e., a new My Documents folder is always created when the redirection policy is changed from the old server to the new server.  The environment
  has about 1500 users with approximately 1.3TB of data in the redirected Documents folders.  OUCH!

• CProject user cannot edit (confirm) their assigned tasks

  Dear Experts,
  we are facing an unexpected behaviour on cProjects: project user cannot edit (confirm) their assigned tasks, because the authorizations at the task level for user appear as Read (authorizations view on task), while on the project definition, for the same tasks the user is assigned Write permissions. Something must be happening in between that we are not getting right.
  More details on the configuration behind and the process:
  - In Project definition level, project roles (coming from a project template) are staffed to users (business partners)
  - Project roles coming from project template are assigned to a project role type with Default authorization set as Read. Because we want all project users to be able to access in read mode to the whole project and tasks; and then be able to edit (Confirm) only their assigned tasks. Except for the project manager role, who has a different project role type assigned wih Admin default authorization set
  - After making the staffing at project level, this seems to be working fine: all project users have read access assigned at project structure level and rest of tasks, except the project manager who has Admin authorization. And for each task, the user assigned to the task has write permissions.
  - But when a user open the task from the tasks dashboard, and go to the Authorizations tab, then the user has Read permission for the same task, which causes the consequence of not being able to Edit and Confirm.
  Can you guide us to understand why the Write authorization is being overriden to Read at user access? Should not the default authorization “read” at project role type be overwritten by the assignment of the user to the task?
  Maybe is there other configuration setting that is missing or needs to be checked?
  Many thanks in advance,
  Roberto

  Thanks Ravi, I answer your questions:
  1) How did you give write access? - Manually in ACL-Authorisations tab or through selection of responsible role/person in basic tab.
  we use the second option. We create projects from templates that have roles assigned to tasks. After we complete staffing in the project, we assign users (business partners) to each project role. After this, automatically, users are assigned as task Responsible and receive their tasks assigned in the task dashboard.
  Question here: since we do not use Resources, the field responsible resource is not used/filled- Is this required?
  2) Whether the task accessed by the user is in 'Released' status?
  yes, tasks are released, so that ther users receive the task in Tasks Dashboard, but due to the permissions issue, they cannot confirm task
  The only possible workaround we have found to solve the issue is to assign Write authorizations to all users, but at project level. So the consequence is that users can edit all the project tasks (not only their assigned tasks) and we want to avoid that. We want users to have read access to whole project and write access to their assigned tasks (by staffinf Users to roles)
  thanks again for help.
  best regards,
  Roberto

• Is there a way to set the ACLs on a folder so that users cannot copy a file?

  Hello,
  Is there a way to set the ACLs on a folder so that users cannot copy a file?
  I have a customer that wants to put an employee handbook into a FORMS FOLDER. But he doesn't want users to be able to copy the file into other folders or onto removable media.
  Admittedly, I have never run into this before and my testing hasn't yielded an answer...
  Any Ideas?
  Thanks again,
  Robert

  Use third party software for security management (http://www.wave.com/ ,
  http://www.devicelock.com/ ,
  https://www.lumension.com/, etc) . Standard access rights that come with operating system do not go beyong permission/share schema.
  Rgds
  Milos

• TAKEOWN command -- SYSTEM user cannot claim ownership

  Hello,
  I already tried to ask this question over at microsoft answers, but I was forwarded here. ( https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/takeown-system-user-cannot-claim-ownership/42499b15-6939-4c2b-811c-04449dd2a8b2 )
  I've got a question about a matter of principle due to learning, not a particular problem. 
  When one want to take over ownership of files and directories owned by NT SERVICE\TrustedInstaller, one can very easily use the security tab of the properties. Also TAKEOWN and ICACLS works on an elevated cmd.
  However, TAKEOWN does not work for particular situations when you are system user.
  Here is my situation:
  For learning purposes I want to add (full) permissions to "C:\Program Files\WindowsApps" to my user account with administrator privileges ("VankogSolid\Daniel").
  To this folder only TrustedInstaller has full access. While System user has RWX to this sole folder and machine administrators have R-X rights for the whole folder. My own account has no explicit appearance:
  (cannot post pictures, therefore do it yourself:)
  http://fud.community.services.support.microsoft.com/Fud/FileDownloadHandler.ashx?fid=3abf52bb-8ef9-46aa-8dcc-07a26d778680
  side question: 
  Even though my user has admin privileges it has no privileges at all for this folder. Accessing it is denied by the system. 
  Yes, my user is not listed in the permission entries, but shouldn't it be part of "Administrators" and therefore be able to read it?
  OK, so to add my account to the permissions list I need to get ownership of the folder first and then set the permissions.
  Doing this via GUI and on an elevated cmd via TAKEOWN with ICACLS works on my account.
  But now the problem:
  Why does TAKEOWN not work as SYSTEM user?
  Here is what I mean: 
  Because I am curious and I think it might be of better security concern (debatable), I wanted to set the owner of the folder to SYSTEM and let SYSTEM set my account permissions.
  So I opened a cmd as SYSTEM user while in the context of my windows logon screen and tried TAKEOWN:
  c:\Windows\System32>whoami
  nt authority\system
  c:\Windows\System32>takeown /F "%Programfiles%\WindowsApps"
  ERROR: The current logged on user does not have ownership privileges on
         the file (or folder) "C:\Program Files\WindowsApps".
  Main question:
  OK, what's going on here? Why is he unable to claim ownership as SYSTEM? He has RWX, while even administrators only have R-X.
  Thx for your explainings!

  Comments embedded
  Hi ,
  I’m facing problem with oracle user,
  Oracle 10G R(2).Windows Xp
  Application in .NET
  1)I create user:Please post complete command
  >
  2)Then I check current session using this select”
  "SELECT SID, SERIAL# FROM V$SESSION WHERE UserName =
  Please post the complete command.
  3)Then I execute this statement from application”
  ALTER SYSTEM KILL SESSION '{sid},{serialno}'
  IMMEDIATE”
  Please post the complete command
  4)In our scenario user is no more connected. How did you verify? Please post the complete command.
  >
  5) Now when we run below this statement from
  application oracle gives an error”CANNOT DROP THE
  USER THAT IS CURRENTLY CONNECTED” So the user is still connected.
  Which user are you trying to drop? Yourself?
  Again, please post the complete command.
  >
  DROP USER {0} CASCADE
  Please advice.
  Faheem LatifMy advice is you either provide sufficient detail, including all commands, and stop relying on crystal balls and fortunetellers.
  No one here was looking over your shoulder, so no one can tell what happened, without you providing sufficient clues. I agree with you this is cumbersome, and doesn't comply with your custom to dump everything here, not doing any research yourself.
  Sybrand Bakker
  Senior Oracle DBA

• PC users cannot open my Pages-exported PDF documents

  Has anyone encountered this? When I want to give someone a PDF, I need to export it from Pages, choose "Open with Adobe Reader," and then re-save from Reader as a different name. (If I just export from Pages, some PC users cannot open it.) When I look at the file information for these two supposed PDFs, the one that's only exported from Pages says "Portable Document Format (PDF)" and the one opened and resaved with Reader says "Adobe PDF Document." What's going on here? Is there a reason my PC friends can't open a Pages-generated PDF?

  Thanks for the suggestions. Funny, when I changed the "Open With" selection inside the "File Info" box to tell it to use Reader, it it still tells me in the "General" information section that it's a "Portable Document Format (PDF)", but it does replace the "Preview" icon in the upper left with the Adobe logo. Only the version that I physically opened with Reader and re-saved lists the "Kind" of document as an "Adobe PDF Document". Wacky.
  Regarding the extension, when I exported from Pages, the "Hide Extension" box was unchecked in the "Save" window, yet the file's PDF extension is in fact hidden (and the "File Info" box also says it's hidden). What's up with that? Grr.
  Seems like a small bug--now I just have to get some PC-using friends to let me know which ones they can open! Thanks for your (tres rapide) help guys!

• Users cannot edit a shared calendar of a shared mailbox that was deleted from the cloud and recreated on premise

  Description:
  The following example account [email protected] is an on premise AD account being used as a shared mailbox in the cloud. We have discovered that regardless of what we do, not a single user can edit the calendar entries.
  The following message is shown in Outlook Click to Run 2013 when an entry. "New appointment" button is also greyed out, including "Calendar Permissions" and some others.
  This problem started when the shared mailbox was created wrongly by creating it in the cloud first and we had to delete it and start over. The "in the cloud" user was deleted and the same user was created in AD on-premise with the same account name
  and then Dir Synced with the cloud. A license was assigned, a user mailbox on exchange online created and the type was converted to a shared mailbox and Editor rights were defined on the calendar folder for specific users.
  Actions performed:
  Action01: gave users Editor rights on calendar folder through powershell
  Result01: Rights correctly added and can be seen when get-mailboxfolderpermission is ran
  Action02: Opened calendar with Outlook and tried to edit entries
  Result02: Error message pops up saying "You don't have permission to create an entry in this folder. Right click the folder and check..."
  Action03: Opened calendar with OWA of users
  Result03: Users can edit the shared calendar on OWA
  Action04: Gave users Full Access permission on mailbox with automapping on
  Result04: Users can edit calendar in Outlook
  Action05: Gave users Full Access permission on mailbox with automapping off (mailbox no longer visible in outlook)
  Result05: Users cannot edit calendar in Outlook
  Action06: Removed Full Access permission on mailbox for users
  Result06: User cannot edit calendar in Outlook
  Action07: Removed [email protected] from on-premise AD, performed dirsync, removed account from ms online using remove-msoluser -removefromrecyclebin
  Result07: No trace of the account was anywhere to be found.
  Action08: Created new [email protected] account on on-premise AD, assigned o365 license to user including exchange online license
  Result08: New empty Exchange online mailbox was created
  Action09: gave users Editor rights on calendar folder through powershell
  Result09: Rights correctly added and can be seen when get-mailboxfolderpermission is ran
  (Note: whenever mailboxfolder permissions are modified for this mailbox it's as if they are ran THREE times in a row, the first time they are applied and the powershell gives immediately 3 exceptions behind this:
  An existing permission entry was found for user: [email protected]
      + CategoryInfo          : NotSpecified: (:) [Add-MailboxFolderPermission], UserAlreadyExis...nEntryException
      + FullyQualifiedErrorId : [Server=DBXPR05MB046,RequestId=3b3e080e-9aaf-4db9-9b90-b7171d59eba2,TimeStamp=7/11/2014
     8:15:39] [FailureCategory=Cmdlet-UserAlreadyExistsInPermissionEntryException] 57078FCD,Microsoft.Exchange.Manageme
    nt.StoreTasks.AddMailboxFolderPermission
      + PSComputerName        : outlook.office365.com
  Any other mailbox does not do this when setting mailboxfolder permissions)
  Action10: Opened calendar with Outlook and tried to edit entries
  Result10: Error message pops up saying "You don't have permission to create an entry in this folder. Right click the folder and check..."
  Action11: Tried on a fresh new pc with first time logon
  Result11: did not help
  Additional information:
  We have seen this problem with another user which was recreated, when he shares his calendar with others and people get the calendar invite email and click "Open Calendar" they receive a popup "The folder cannot be found".
  My first impression points to a corruption/bug in the GAL on exchange online, since we're using o365 for midsize bussinesses we cannot use the AdressList role to expose the adresslist cmdlts for deeper troubleshooting.
  PS:
  Issue tested on different computers and with different user accounts, not a single user can edit the calendar of [email protected] when editor rights are given.
  Noticed when editing rights for the shared mailbox in powershell after the first confirmation line
  Office 2013 is click to run was updated to latest version, version number: 15.0.4659.1001

  Greetings Gil,
  I haven't heard of that one.
  Questions:
  Does the calendar in question show up in the "Subscriptions" category of iCal?
  If you remove all accounts from iCal > Preferences > Accounts and quit and re-open iCal, does the calendar in question vanish? If so, does the calendar come back when you re-input the servers you need into  iCal > Preferences > Accounts?
  Can you provide a screen shot of your calendar sidebar.
  While you answer those questions, some troubleshooting to try:
  Try dragging one of your other calendars above this calendar that won't delete and then quit / re-open iCal and attempt to delete the calendar in question.
  Failing that:
  1. First make an iCal backup:  Click on each calendar on the left hand side of iCal one at a time highlighting it's name and then going to File Export > Export and saving the resulting calendar file to a logical location for safekeeping.
  2. Go to iCal > Quit iCal
  3. Remove the following to the trash and restart your computer:
  Home > Library > Caches > com.apple.ical
  Home > Library > Calendars > Calendar Cache, Cache, Cache 1, 2, 3, etc. (Do not remove Sync Cache or Theme Cache if present)
  4. Launch iCal and test.
  If the issue persists at this point:
  Remove the following to the trash and restart your computer:
  Home > Library > Caches > com.apple.ical
  Home > Library > Calendars > Calendar Cache, Cache, Cache 1, 2, 3, etc. (Do not remove Sync Cache or Theme Cache if present)
  Home > Library > Preferences > com.apple.ical (There may be more than one of these. Remove them all.)
  ---NOTE: Removing these files may remove any shared (CalDAV) calendars you may have access to. You will have to re-add those calendars to iCal > Preferences > Accounts.
  Hope that helps!

• Standart Portal User cannot see Website created with WPC?!?

  Hi there,
  just a new Question.
  I created a Website with WPC as shown in this Blog:
  https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/5924
  Web Page Composer u2013 how easy it is to create and publish a web page (Part III)
  I created also a User that have rights:
  Groups:
  Everyone
  Authenticated Users
  Roles:
  Testrole  (That one i created for the Website)
  But my user cannot see the Website after Logging in.. In the Menu there is a Menuentry called: Website
  Thats correct. But the Site do not load.
  After i put the User in: Group - Administrators i can see the Website... whats wrong here?
  Regards
  Bjoern

  OK i am a step forward.
  i checked help.sap.com and find a hint to the Security Zones.
  Defining Permissions for Security Zones
         1.      Navigate to Security Zones ® com.sap.nw.wpc ® wpc.
         2.      In the context menu of the following folders, choose Open Permissions and define the permissions specified.
  Permissions for Security Zones
  Folders
  Roles/Groups
  Permissions
  medium_safety
  Site owners, editors, and authors (for example, the wpc_editor_role role)
  Select the End User checkbox.
  You can leave the default entry for the Administrator column as None.
  no_safety
  Visitors (for example, the everyone group)
  Select the End User checkbox.
  You can leave the default entry for the Administrator column as None.
  I changed the no_safety (i added Group - Everyone)
  Now i can see the Page.. but i also see at the top right of the page: EDIT PAGE
  And a Standart EndUser should not see: Edit Page
  What can i do here?
  Regards
  Bjoern

• How to set "User cannot change password" on W2K accounts.

  Hi gurus,
  I need to set (from create user form) "User cannot change password" on W2K accounts.
  I was expected that some value of userAccountControl attribute on AD could do the job, but I realized that it is not so (look also to http://forum.java.sun.com/thread.jspa?threadID=593193&messageID=3108889).
  Thanks for any suggestion.

  Yeah thats right, I have implemented the same using nTSecurityDescriptor attribute