BTP - Application Job (Authorization)
How can a user execute a job and what permissions do they need to do so? In this article we will go into the details and which objects the developer needs to create.
Table of contents
One point that should usually take place after implementation is the assignment of permissions. Not everyone should be able to carry out the job, perhaps because subsequent authorizations are missing or major damage could occur to the system. That's why in this article we'll take a look at the topic of permissions.
Introduction
An important part of the application job is the granting of authorizations. If you've developed your jobs in the development system so far, you probably haven't noticed that you have permissions to all jobs. However, as soon as you open the “Application Jobs” app in test or production, it will be empty. Here you first have to create the appropriate permissions as a developer so that your permissions admin can create the role. In the following sections we will walk through each step of the process.
Business Catalog
First, the developer must create a business catalog. A business catalog bundles various authorizations for jobs, but also apps. If you check the folder structure in the package, you will notice that an object has already been created under "IAM App", although you did not explicitly create it. The IAM app was also generated using the job catalog template.
Let's now create the business catalog. To do this, we can search for the catalog object via the current package by right-clicking in the context menu and selecting the option "New -> Other ABAP Repository Object".
We now give the object a name and a description and can assign it to a transport.
After the business catalog has been created, we can assign our SAJC object in the “Apps” tab. Simply select and confirm using the “Add…” button. This assigns the authorization for the job to the Business Catalog. We don't need to make any further settings here other than publishing the catalog with "Publish Locally".
Role
The next step is carried out by the authorization administrator in the system. To do this, we switch to the system's launchpad and open the "Maintain Business Roles" app (F1492).
Using the “New” button we create a new role and give it a name and a description. We can then assign user and business catalogs.
We should at least assign our created object as a business catalog, but with the role alone we still need the "Application Jobs" app to schedule the job. Here we can assign the catalog “SAP_CORE_BC_APJ_JCE”.
Hint: The role can then be adopted via a customizing transport or created individually on each system. We recommend distribution via transport and software components in order to have a uniform status on all systems.
Conclusion
The creation of the business catalog and the role is important for execution on the test and production system, but is quickly forgotten. This article should now make it clear who should create which objects in the development process.