<div dir="ltr"><div>G'day Kjetil,</div><div><br></div><div>Some clients, such as this Govt example, have such complicated rules regarding who should approve what based on who ordered, what was ordered and where it was costed to that Release Codes are simply impractical both from a definition, config and security allocation perspective. </div><div><br></div><div>Beyond this my statement around SoD is that security alone (Release Code based or otherwise) can not prevent self approval. There are many instances where someone needs to have the ability to key documents and approve identical documents, just not approve the documents they keyed. I've heard this quaintly referred to as "the four eyes principle". </div><div><br></div><div>WFs based on User Decision steps (where there is no authority check) with WF-BATCH performing the Release is my preferred method where either such requirement exists. Users have no access to the direct Release transactions at all, and the WF agent determination logic, however it's implemented (be it Resp Rules, BRF+, custom code) is the source of control, not allocation of security Roles. The power of "excluded" agents provides more control than Security ever can.</div><div><br></div><div>Regarding updating change logs to say something other than WF-BATCH, I push back on this. WF-BATCH did perform the Release. If you want to know who was involved in the approval review the WF log. This means when someone is given "fire fighter" exceptional access to perform a manual release it's obvious from the Change Logs. </div><div><br></div><div>Still keen to know if anyone does know of any issues of WF-BATCH PReq Release....</div><div><br></div><div>Have fun,</div><div>Mark</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 24 August 2016 at 08:44, Kjetil Kilhavn <span dir="ltr"><<a href="mailto:list.sap-wug@vettug.no" target="_blank">list.sap-wug@vettug.no</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>onsdag 17. august <a href="tel:2016%2007.37.43" value="+12016073743">2016 07.37.43</a> CEST skrev Mark Pyc:<br>
> I'm all for user decision, system update. It's the only practical way to<br>
> ensure true instance level SoD<br>
<br>
</span>Could you be bothered to elaborate on that?<br>
I fail to see any advantages in terms of Segregation of Duties (assuming that<br>
is what you refer to) achieved by letting the user execute a user decision<br>
task as opposed to, in this case, a task that starts transaction ME54N?<br>
My point being that I don't see what you can do in your decision task that you<br>
couldn't just as well do with the task delivered by SAP. So, perhaps its just<br>
because I am not looking at it from the right perspective.<br>
<span><br>
<br>
> If anyone does know of issues of background release I'd love details.<br>
> I don't intend to hack around them, I'll be bitching to SAP to get them<br>
> resolved.<br>
</span>It's not really an issue of background release, but when a user approves the<br>
release code in ME54N or ME28 an event terminates the work item. This means<br>
you can also hook up other workflows.<br>
<br>
Plus, if you are preventing business users from using ME28/ME54N:<br>
>From a user perspective: choice between ME28/ME54N and workflow inbox.<br>
>From a solution design perspective: you can choose to not use workflow for some<br>
release codes.<br>
<span class="HOEnZb"><font color="#888888">--<br>
Kjetil Kilhavn / Vettug AS (<a href="http://www.vettug.no" target="_blank" rel="noreferrer">http://www.vettug.no</a>)<br>
</font></span><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
SAP-WUG mailing list<br>
<a href="mailto:SAP-WUG@mit.edu">SAP-WUG@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/sap-wug" target="_blank" rel="noreferrer">http://mailman.mit.edu/<wbr>mailman/listinfo/sap-wug</a><br>
</div></div></blockquote></div><br></div>