<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Hi Mark,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Hope you are well!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Through the 90’s and 00’s I set up numerous PR and PO workflows where the release was carried out after approval by a User Decision
… I don’t recall any issues I couldn’t get around (though I was pretty good in those days;-). I just looked at some documentation from an old project where I made the following note about a new method I created on ZBUS2009:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif">ZRelease</span></b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif">– Background synchronous method to release the requisition line using BAPI_REQUISITION_RELEASE.
In case of locking the method raises a temporary error, for other errors an application error is raised to error the workflow.</span><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Mark
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> sap-wug-bounces@mit.edu [mailto:sap-wug-bounces@mit.edu]
<b>On Behalf Of </b>Mark Pyc<br>
<b>Sent:</b> 24 August 2016 06:00<br>
<b>To:</b> SAP Workflow Users' Group <sap-wug@mit.edu><br>
<b>Subject:</b> Re: PR Release WF - GRC ME54N<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">G'day Kjetil,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Some clients, such as this Govt example, have such complicated rules regarding who should approve what based on who ordered, what was ordered and where it was costed to that Release Codes are simply impractical both from a definition, config and
security allocation perspective. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Beyond this my statement around SoD is that security alone (Release Code based or otherwise) can not prevent self approval. There are many instances where someone needs to have the ability to key documents and approve identical documents,
just not approve the documents they keyed. I've heard this quaintly referred to as "the four eyes principle".
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">WFs based on User Decision steps (where there is no authority check) with WF-BATCH performing the Release is my preferred method where either such requirement exists. Users have no access to the direct Release transactions at all, and the
WF agent determination logic, however it's implemented (be it Resp Rules, BRF+, custom code) is the source of control, not allocation of security Roles. The power of "excluded" agents provides more control than Security ever can.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Regarding updating change logs to say something other than WF-BATCH, I push back on this. WF-BATCH did perform the Release. If you want to know who was involved in the approval review the WF log. This means when someone is given "fire fighter"
exceptional access to perform a manual release it's obvious from the Change Logs.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Still keen to know if anyone does know of any issues of WF-BATCH PReq Release....<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Have fun,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Mark<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 24 August 2016 at 08:44, Kjetil Kilhavn <<a href="mailto:list.sap-wug@vettug.no" target="_blank">list.sap-wug@vettug.no</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">onsdag 17. august <a href="tel:2016%2007.37.43">2016 07.37.43</a> CEST skrev Mark Pyc:<br>
> I'm all for user decision, system update. It's the only practical way to<br>
> ensure true instance level SoD<br>
<br>
Could you be bothered to elaborate on that?<br>
I fail to see any advantages in terms of Segregation of Duties (assuming that<br>
is what you refer to) achieved by letting the user execute a user decision<br>
task as opposed to, in this case, a task that starts transaction ME54N?<br>
My point being that I don't see what you can do in your decision task that you<br>
couldn't just as well do with the task delivered by SAP. So, perhaps its just<br>
because I am not looking at it from the right perspective.<br>
<br>
<br>
> If anyone does know of issues of background release I'd love details.<br>
> I don't intend to hack around them, I'll be bitching to SAP to get them<br>
> resolved.<br>
It's not really an issue of background release, but when a user approves the<br>
release code in ME54N or ME28 an event terminates the work item. This means<br>
you can also hook up other workflows.<br>
<br>
Plus, if you are preventing business users from using ME28/ME54N:<br>
>From a user perspective: choice between ME28/ME54N and workflow inbox.<br>
>From a solution design perspective: you can choose to not use workflow for some<br>
release codes.<br>
<span class="hoenzb"><span style="color:#888888">--</span></span><span style="color:#888888"><br>
<span class="hoenzb">Kjetil Kilhavn / Vettug AS (<a href="http://www.vettug.no" target="_blank">http://www.vettug.no</a>)</span></span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">_______________________________________________<br>
SAP-WUG mailing list<br>
<a href="mailto:SAP-WUG@mit.edu">SAP-WUG@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/sap-wug" target="_blank">http://mailman.mit.edu/mailman/listinfo/sap-wug</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>