<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
Thanks, Mike. This will be a welcome addition to the case we are building. The last paragraph about rogue code is spot on.<br><br>Ed<br><br>> Date: Thu, 9 Jun 2011 12:26:10 +0100<br>> Subject: RE: SAP_ALL SAP_NEW<br>> From: wug@workflowconnections.com<br>> To: sap-wug@mit.edu<br>> <br>> Hi Ed,<br>> <br>> Just to add my 2p: On more than one occasion I've also had errors that<br>> seemingly had absolutely nothing to do with auths, but in the end was due<br>> to a missing SAP_ALL and took several days to hunt down.<br>> <br>> Point them to the official SAP doco on the matter, which is quite explicit<br>> about SAP_ALL. As Jocelyn already indicated, the use of WF-BATCH in first<br>> place is often to INCREASE security by not allowing the users to perform<br>> certain actions directly. The fact that different people all develop<br>> workflows means they now all need to keep WF-BATCH auths up to date -<br>> maintenance chaos.<br>> <br>> Lastly, IMHO, putting a rougue piece of code into production is a far<br>> easier and less noticeable way to do dirty deeds than trying to hack<br>> WF-BATCH passwords unnoticed, so we're really chasing s hypothetically<br>> very difficult scenario. It's a bit like locking your bathroom door to<br>> stop someone breaking into your house!<br>> <br>> Cheers,<br>> Mike<br>> <br>> <br>> On Fri, June 3, 2011 1:46 pm, Edward Diehl wrote:<br>> ><br>> > Thank you so much Mike, this is exactly the kind of feedback I was looking<br>> > for. Whether this will "get through" or not, only time will tell, but at<br>> > least they have some information from the real world.<br>> ><br>> > Also, Jocelyn, I appreciate your comments and passed them along with<br>> > Mike's. Hoary is right!<br>> ><br>> > Ed<br>> ><br>> > From: madgambler@hotmail.com<br>> > To: sap-wug@mit.edu<br>> > Subject: RE: SAP_ALL SAP_NEW<br>> > Date: Thu, 2 Jun 2011 22:39:29 +0000<br>> ><br>> ><br>> ><br>> ><br>> ><br>> ><br>> ><br>> ><br>> > My sympathies.<br>> ><br>> ><br>> ><br>> > I've seen 2 clients try and fail dismally to not give WF-BATCH SAP_ALL and<br>> > instead try and cobble together their own profile for a while in the<br>> > misguided belief it would be a more 'secure' approach.<br>> ><br>> ><br>> ><br>> > In both cases the urge was brought on by some Audit report that overlooked<br>> > the need to keep system user profiles up to date with authorisation object<br>> > changes or face potentially huge work backloads trying to sort out the<br>> > mess when inevitably someone missed something they couldn't be expected to<br>> > have spotted coming through via an OSS Note of custom change or whatever.<br>> ><br>> ><br>> ><br>> > In the end, the amount of new software patches, enhancement packs and<br>> > upgrades forced them to change their minds and instead invest some<br>> > confidence in their SAP Basis people to keep the Workflow password setting<br>> > under lock and key - just as they would normally do with other user<br>> > profiles like the 'normal' BATCH.<br>> ><br>> ><br>> ><br>> > I hope sense prevails eventually for you...<br>> ><br>> ><br>> ><br>> > Mike GT<br>> ><br>> ><br>> ><br>> ><br>> > From: edwarddiehl@hotmail.com<br>> > To: sap-wug@mit.edu<br>> > Subject: RE: SAP_ALL SAP_NEW<br>> > Date: Thu, 2 Jun 2011 15:23:22 -0500<br>> ><br>> ><br>> ><br>> ><br>> > Yes, thanks Mike. What we're dealing with here is a bureaucracy.<br>> ><br>> ><br>> ><br>> > From: madgambler@hotmail.com<br>> > Subject: Re: SAP_ALL SAP_NEW<br>> > Date: Thu, 2 Jun 2011 21:02:04 +0100<br>> > To: madgambler@hotmail.com<br>> > CC: sap-wug@mit.edu<br>> ><br>> ><br>> > Ah my bad, you explained your WF-BATCH user hasn't been given this for<br>> > some reason? Um, why would you do that? Surely you need your Workflows to<br>> > have almost superuser auths?<br>> ><br>> ><br>> > Mike GT<br>> ><br>> > Sent from my iPhone<br>> ><br>> > On 2 Jun 2011, at 21:00, Madgambler <madgambler@hotmail.com> wrote:<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Presumably you have tried regenerating SAP_ALL in the target system?<br>> ><br>> ><br>> > Worth a mention just in case somebody forgot?<br>> ><br>> ><br>> > Mike GT<br>> ><br>> > Sent from my iPhone<br>> ><br>> > On 2 Jun 2011, at 20:41, Edward Diehl <edwarddiehl@hotmail.com> wrote:<br>> ><br>> ><br>> ><br>> ><br>> > Thanks, Eddie, but therein lies the problem. We've applied the note and<br>> > we are still left with tasks failing because of no-authorization - and<br>> > these failed to show up on the Security's authorization trace.<br>> ><br>> > As I asked, is anyone out there successfully using workflow where WF-BATCH<br>> > does not have SAP_ALL AND SAP_NEW?<br>> ><br>> > Ed<br>> ><br>> ><br>> ><br>> > From: eddie.morris@sap.com<br>> > To: sap-wug@mit.edu<br>> > Date: Thu, 2 Jun 2011 20:54:19 +0200<br>> > Subject: RE: SAP_ALL SAP_NEW<br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Hi Ed,<br>> ><br>> > Take a look at note 1251255 which introduces SAP_BC_BMT_WFM_SERV_USER. It<br>> > takes care of the authorization for the workflow runtime but you still<br>> > need to add application specific authorizations.<br>> ><br>> > KBA 1574002 also gives details.<br>> ><br>> > Regards,<br>> > Eddie<br>> ><br>> ><br>> ><br>> > From: sap-wug-bounces@mit.edu [mailto:sap-wug-bounces@mit.edu] On Behalf<br>> > Of Edward Diehl<br>> > Sent: 02 June 2011 19:33<br>> > To: sap-wug@mit.edu<br>> > Subject: RE: SAP_ALL SAP_NEW<br>> ><br>> > Is anyone out there successfully using workflow with WF-BATCH carrying<br>> > something other than SAP_ALL & SAP_NEW security roles?<br>> ><br>> > I'm sure many of you have confronted this issue. I would be interested to<br>> > hear your experience(s).<br>> ><br>> > Thanks,<br>> > Ed<br>> > _______________________________________________ SAP-WUG mailing list<br>> > SAP-WUG@mit.edu http://mailman.mit.edu/mailman/listinfo/sap-wug<br>> ><br>> > _______________________________________________<br>> > SAP-WUG mailing list<br>> > SAP-WUG@mit.edu<br>> > http://mailman.mit.edu/mailman/listinfo/sap-wug<br>> ><br>> > _______________________________________________ SAP-WUG mailing list<br>> > SAP-WUG@mit.edu http://mailman.mit.edu/mailman/listinfo/sap-wug<br>> > _______________________________________________ SAP-WUG mailing list<br>> > SAP-WUG@mit.edu http://mailman.mit.edu/mailman/listinfo/sap-wug<br>> ><br>> > _______________________________________________<br>> > SAP-WUG mailing list<br>> > SAP-WUG@mit.edu<br>> > http://mailman.mit.edu/mailman/listinfo/sap-wug<br>> > _______________________________________________<br>> > SAP-WUG mailing list<br>> > SAP-WUG@mit.edu<br>> > http://mailman.mit.edu/mailman/listinfo/sap-wug<br>> ><br>> <br>> <br>> _______________________________________________<br>> SAP-WUG mailing list<br>> SAP-WUG@mit.edu<br>> http://mailman.mit.edu/mailman/listinfo/sap-wug<br>                                            </body>
</html>