<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.ecxmsonormal, li.ecxmsonormal, div.ecxmsonormal
{mso-style-name:ecxmsonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.ecxmsochpdefault, li.ecxmsochpdefault, div.ecxmsochpdefault
{mso-style-name:ecxmsochpdefault;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.ecxmsohyperlink
{mso-style-name:ecxmsohyperlink;}
span.ecxmsohyperlinkfollowed
{mso-style-name:ecxmsohyperlinkfollowed;}
span.ecxemailstyle18
{mso-style-name:ecxemailstyle18;}
p.ecxmsonormal1, li.ecxmsonormal1, div.ecxmsonormal1
{mso-style-name:ecxmsonormal1;
mso-margin-top-alt:auto;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.ecxmsohyperlink1
{mso-style-name:ecxmsohyperlink1;
color:blue;
text-decoration:underline;}
span.ecxmsohyperlinkfollowed1
{mso-style-name:ecxmsohyperlinkfollowed1;
color:purple;
text-decoration:underline;}
span.ecxemailstyle181
{mso-style-name:ecxemailstyle181;
font-family:"Calibri","sans-serif";
color:#1F497D;}
p.ecxmsochpdefault1, li.ecxmsochpdefault1, div.ecxmsochpdefault1
{mso-style-name:ecxmsochpdefault1;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle28
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Edward, <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>FYI Don’t forget that if you have HR you also need to give WF-BATCH blanket HR Structural Auths... which is controlled through a configuration table. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>A few approaches that I find useful when this hoary old question comes up.... <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Have you checked to see if they have any Batch / System / Communication users with SAP_ALL, SAP _NEW for running batch jobs or to support integration? WF-BATCH user id should be positioned as that type of user. After all the point is that WF-BATCH is being used to AVOID giving dialog users additional security but still give access to relevant process information in a controlled manner. Also all activities by WF-BATCH and by dialog users is being logged as part of the workflow log. You need to get down to what are their real concerns and pick them off one by one... don’t forget to throw in the TCO of continually adjusting WF-BATCH security and the disruption to the business that would cause as processes fail due to authorisation issues. And talk about Best Practice – Best Practice is NOT to restrict WF-BATCH for all of the above reasons and because as Mike indicates... continuing pain follows thereafter for what is often an esoteric concern about possible exposure. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Good luck.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Jocelyn <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> sap-wug-bounces@mit.edu [mailto:sap-wug-bounces@mit.edu] <b>On Behalf Of </b>Mike Gambier<br><b>Sent:</b> Friday, 3 June 2011 8:39 AM<br><b>To:</b> sap-wug@mit.edu<br><b>Subject:</b> RE: SAP_ALL SAP_NEW<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>My sympathies.<br> <br>I've seen 2 clients try and fail dismally to not give WF-BATCH SAP_ALL and instead try and cobble together their own profile for a while in the misguided belief it would be a more 'secure' approach. <br> <br>In both cases the urge was brought on by some Audit report that overlooked the need to keep system user profiles up to date with authorisation object changes or face potentially huge work backloads trying to sort out the mess when inevitably someone missed something they couldn't be expected to have spotted coming through via an OSS Note of custom change or whatever.<br> <br>In the end, the amount of new software patches, enhancement packs and upgrades forced them to change their minds and instead invest some confidence in their SAP Basis people to keep the Workflow password setting under lock and key - just as they would normally do with other user profiles like the 'normal' BATCH.<br> <br>I hope sense prevails eventually for you...<br> <br>Mike GT<br> <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><hr size=2 width="100%" align=center id=stopSpelling></span></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From: edwarddiehl@hotmail.com<br>To: sap-wug@mit.edu<br>Subject: RE: SAP_ALL SAP_NEW<br>Date: Thu, 2 Jun 2011 15:23:22 -0500<br><br>Yes, thanks Mike. What we're dealing with here is a bureaucracy. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><hr size=2 width="100%" align=center id=ecxstopSpelling></span></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From: madgambler@hotmail.com<br>Subject: Re: SAP_ALL SAP_NEW<br>Date: Thu, 2 Jun 2011 21:02:04 +0100<br>To: madgambler@hotmail.com<br>CC: sap-wug@mit.edu<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Ah my bad, you explained your WF-BATCH user hasn't been given this for some reason? Um, why would you do that? Surely you need your Workflows to have almost superuser auths?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Mike GT<br><br>Sent from my iPhone<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br>On 2 Jun 2011, at 21:00, Madgambler <<a href="mailto:madgambler@hotmail.com">madgambler@hotmail.com</a>> wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Presumably you have tried regenerating SAP_ALL in the target system?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Worth a mention just in case somebody forgot?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Mike GT<br><br>Sent from my iPhone<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br>On 2 Jun 2011, at 20:41, Edward Diehl <<a href="mailto:edwarddiehl@hotmail.com">edwarddiehl@hotmail.com</a>> wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Thanks, Eddie, but therein lies the problem. We've applied the note and we are still left with tasks failing because of no-authorization - and these failed to show up on the Security's authorization trace.<br><br>As I asked, is anyone out there successfully using workflow where WF-BATCH does not have SAP_ALL AND SAP_NEW?<br><br>Ed<o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><hr size=2 width="100%" align=center id=ecxstopSpelling></span></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From: <a href="mailto:eddie.morris@sap.com">eddie.morris@sap.com</a><br>To: <a href="mailto:sap-wug@mit.edu">sap-wug@mit.edu</a><br>Date: Thu, 2 Jun 2011 20:54:19 +0200<br>Subject: RE: SAP_ALL SAP_NEW<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Ed,</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Take a look at note 1251255 which introduces SAP_BC_BMT_WFM_SERV_USER. It takes care of the authorization for the workflow runtime but you still need to add application specific authorizations.</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>KBA 1574002 also gives details.</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Regards,</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Eddie</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:sap-wug-bounces@mit.edu">sap-wug-bounces@mit.edu</a> [mailto:sap-wug-bounces@mit.edu] <b>On Behalf Of </b>Edward Diehl<br><b>Sent:</b> 02 June 2011 19:33<br><b>To:</b> <a href="mailto:sap-wug@mit.edu">sap-wug@mit.edu</a><br><b>Subject:</b> RE: SAP_ALL SAP_NEW<o:p></o:p></span></p></div></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Is anyone out there successfully using workflow with WF-BATCH carrying something other than SAP_ALL & SAP_NEW security roles?<br><br>I'm sure many of you have confronted this issue. I would be interested to hear your experience(s).<br><br>Thanks,<br>Ed <o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br>_______________________________________________ SAP-WUG mailing list <a href="mailto:SAP-WUG@mit.edu">SAP-WUG@mit.edu</a> <a href="http://mailman.mit.edu/mailman/listinfo/sap-wug" target="_blank">http://mailman.mit.edu/mailman/listinfo/sap-wug</a> <o:p></o:p></span></p></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>_______________________________________________<br>SAP-WUG mailing list<br><a href="mailto:SAP-WUG@mit.edu">SAP-WUG@mit.edu</a><br><a href="http://mailman.mit.edu/mailman/listinfo/sap-wug" target="_blank">http://mailman.mit.edu/mailman/listinfo/sap-wug</a><o:p></o:p></span></p></div></blockquote></div></blockquote><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br>_______________________________________________ SAP-WUG mailing list SAP-WUG@mit.edu http://mailman.mit.edu/mailman/listinfo/sap-wug <br>_______________________________________________ SAP-WUG mailing list SAP-WUG@mit.edu http://mailman.mit.edu/mailman/listinfo/sap-wug <o:p></o:p></span></p></div></body></html>