<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
My sympathies.<BR>
<BR>
I've seen 2 clients try and fail dismally to not give WF-BATCH SAP_ALL and instead try and cobble together their own profile for a while in the misguided belief it would be a more 'secure' approach. <BR>
<BR>
In both cases the urge was brought on by some Audit report that overlooked the need to keep system user profiles up to date with authorisation object changes or face potentially huge work backloads trying to sort out the mess when inevitably someone missed something they couldn't be expected to have spotted coming through via an OSS Note of custom change or whatever.<BR>
<BR>
In the end, the amount of new software patches, enhancement packs and upgrades forced them to change their minds and instead invest some confidence in their SAP Basis people to keep the Workflow password setting under lock and key - just as they would normally do with other user profiles like the 'normal' BATCH.<BR>
<BR>
I hope sense prevails eventually for you...<BR>
<BR>
Mike GT<BR> <BR>
<HR id=stopSpelling>
From: edwarddiehl@hotmail.com<BR>To: sap-wug@mit.edu<BR>Subject: RE: SAP_ALL SAP_NEW<BR>Date: Thu, 2 Jun 2011 15:23:22 -0500<BR><BR>
<META name=Generator content="Microsoft SafeHTML">
<STYLE>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Tahoma;}
</STYLE>
Yes, thanks Mike. What we're dealing with here is a bureaucracy. <BR><BR>
<HR id=ecxstopSpelling>
From: madgambler@hotmail.com<BR>Subject: Re: SAP_ALL SAP_NEW<BR>Date: Thu, 2 Jun 2011 21:02:04 +0100<BR>To: madgambler@hotmail.com<BR>CC: sap-wug@mit.edu<BR><BR>
<DIV>Ah my bad, you explained your WF-BATCH user hasn't been given this for some reason? Um, why would you do that? Surely you need your Workflows to have almost superuser auths?</DIV>
<DIV><BR></DIV>
<DIV>Mike GT<BR><BR>Sent from my iPhone</DIV>
<DIV><BR>On 2 Jun 2011, at 21:00, Madgambler <<A href="mailto:madgambler@hotmail.com">madgambler@hotmail.com</A>> wrote:<BR><BR></DIV>
<DIV></DIV>
<BLOCKQUOTE>
<DIV>
<DIV>Presumably you have tried regenerating SAP_ALL in the target system?</DIV>
<DIV><BR></DIV>
<DIV>Worth a mention just in case somebody forgot?</DIV>
<DIV><BR></DIV>
<DIV>Mike GT<BR><BR>Sent from my iPhone</DIV>
<DIV><BR>On 2 Jun 2011, at 20:41, Edward Diehl <<A href="mailto:edwarddiehl@hotmail.com"></A><A href="mailto:edwarddiehl@hotmail.com">edwarddiehl@hotmail.com</A>> wrote:<BR><BR></DIV>
<DIV></DIV>
<BLOCKQUOTE>
<DIV>Thanks, Eddie, but therein lies the problem. We've applied the note and we are still left with tasks failing because of no-authorization - and these failed to show up on the Security's authorization trace.<BR><BR>As I asked, is anyone out there successfully using workflow where WF-BATCH does not have SAP_ALL AND SAP_NEW?<BR><BR>Ed<BR><BR>
<HR id=ecxstopSpelling>
From: <A href="mailto:eddie.morris@sap.com"></A><A href="mailto:eddie.morris@sap.com"></A><A href="mailto:eddie.morris@sap.com">eddie.morris@sap.com</A><BR>To: <A href="mailto:sap-wug@mit.edu"></A><A href="mailto:sap-wug@mit.edu"></A><A href="mailto:sap-wug@mit.edu">sap-wug@mit.edu</A><BR>Date: Thu, 2 Jun 2011 20:54:19 +0200<BR>Subject: RE: SAP_ALL SAP_NEW<BR><BR>
<STYLE>
.ExternalClass p.ecxMsoNormal, .ExternalClass li.ecxMsoNormal, .ExternalClass div.ecxMsoNormal
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass a:link, .ExternalClass span.ecxMsoHyperlink
{color:blue;text-decoration:underline;}
.ExternalClass a:visited, .ExternalClass span.ecxMsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
.ExternalClass p
{margin-right:0cm;margin-left:0cm;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass span.ecxEmailStyle18
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass .ecxMsoChpDefault
{font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;}
.ExternalClass div.ecxWordSection1
{page:WordSection1;}
</STYLE>
<DIV class=ecxWordSection1>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Hi Ed,</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: rgb(31,73,125); FONT-SIZE: 11pt"> </SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Take a look at note 1251255 which introduces SAP_BC_BMT_WFM_SERV_USER. It takes care of the authorization for the workflow runtime but you still need to add application specific authorizations.</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: rgb(31,73,125); FONT-SIZE: 11pt"> </SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">KBA 1574002 also gives details.</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: rgb(31,73,125); FONT-SIZE: 11pt"> </SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Regards,</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Eddie</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: rgb(31,73,125); FONT-SIZE: 11pt"> </SPAN></P>
<DIV>
<DIV style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0cm; PADDING-LEFT: 0cm; PADDING-RIGHT: 0cm; BORDER-TOP: rgb(181,196,223) 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<P class=ecxMsoNormal><B><SPAN style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">From:</SPAN></B><SPAN style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt"> <A href="mailto:sap-wug-bounces@mit.edu"></A><A href="mailto:sap-wug-bounces@mit.edu">sap-wug-bounces@mit.edu</A> [mailto:sap-wug-bounces@mit.edu] <B>On Behalf Of </B>Edward Diehl<BR><B>Sent:</B> 02 June 2011 19:33<BR><B>To:</B> <A href="mailto:sap-wug@mit.edu"></A><A href="mailto:sap-wug@mit.edu"></A><A href="mailto:sap-wug@mit.edu">sap-wug@mit.edu</A><BR><B>Subject:</B> RE: SAP_ALL SAP_NEW</SPAN></P></DIV></DIV>
<P class=ecxMsoNormal> </P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">Is anyone out there successfully using workflow with WF-BATCH carrying something other than SAP_ALL & SAP_NEW security roles?<BR><BR>I'm sure many of you have confronted this issue. I would be interested to hear your experience(s).<BR><BR>Thanks,<BR>Ed </SPAN></P></DIV><BR>_______________________________________________ SAP-WUG mailing list <A href="mailto:SAP-WUG@mit.edu"></A><A href="mailto:SAP-WUG@mit.edu">SAP-WUG@mit.edu</A> <A href="http://mailman.mit.edu/mailman/listinfo/sap-wug" target=_blank></A><A href="http://mailman.mit.edu/mailman/listinfo/sap-wug" target=_blank>http://mailman.mit.edu/mailman/listinfo/sap-wug</A> </DIV></BLOCKQUOTE>
<BLOCKQUOTE>
<DIV><SPAN>_______________________________________________</SPAN><BR><SPAN>SAP-WUG mailing list</SPAN><BR><SPAN><A href="mailto:SAP-WUG@mit.edu"></A><A href="mailto:SAP-WUG@mit.edu">SAP-WUG@mit.edu</A></SPAN><BR><SPAN><A href="http://mailman.mit.edu/mailman/listinfo/sap-wug" target=_blank></A><A href="http://mailman.mit.edu/mailman/listinfo/sap-wug" target=_blank>http://mailman.mit.edu/mailman/listinfo/sap-wug</A></SPAN><BR></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE><BR>_______________________________________________ SAP-WUG mailing list SAP-WUG@mit.edu http://mailman.mit.edu/mailman/listinfo/sap-wug <BR>_______________________________________________ SAP-WUG mailing list SAP-WUG@mit.edu http://mailman.mit.edu/mailman/listinfo/sap-wug </body>
</html>