Substitute Authorizations/profiles/roles

[Das, Raj]

This is one very interesting topic and need to be carefully reviewed.
 
Let us think about practical scenario. I create a Purchase Order and =
route
to the inbox of Approver for a particular release code. As long as =
approver
approves which takes care of release code it is perfectly OK.
 
Question comes : If approver is going on vacation and he knows in =
advance
and he can substitute someone to take action in his absence. Without =
the
workflow process, in real business world it happens. And we want this
functionality in workflow as well. Problem comes for the security. =
Because
the approver has been assigned the security profile which allow him/her =
to
release the Purchase Order. Then do we need to give security to the
substituter??? If one has to provide each and evry substituter the =
security
access that is a real business hassle. Practically we do not have to =
give
the security to the substituter. One has to design his/her workflow in =
such
a way that process should be done in backgound with WF-BATCH. When =
approver
substitute someone and substituter approves it , it all well recorded =
in
workflow log. So there is an audit trail. Which is 100% conformity with =
the
real business process without the workflow. One can always find who =
finally
approved it and from the log one can find who is the original approver.
 
It is his responsibilty why he substituted some one in workflow.Without =
the
workflow also same scenario if he/she has allowed to do some of his/her =
job
in absence. No security breaches!!!
 
Hope it helps.
 
Thanx
Raj Das
Workflow Architect
Imagine PA=20
 
-----Original Message-----
From: Kisloff, Philip B [mailto:Philip.Kisloff at astrazeneca.com]
Sent: Wednesday, April 24, 2002 6:45 AM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Re: Substitute Authorizations/profiles/roles
 
 
Mark,
 
I agree with Stephan, but the flip side to your question is when custom
workflows
allow approvals (with no authorisation concept involved) and you don't =
want
all types
of workflows to be accessed by your substitute. This can be restricted =
based
on substitute profiles for workflow classes.
 
Regards
 
Phil
 
 
-----Original Message-----
From: Becker Stephan (extern)
[mailto:Stephan.Becker.ext at mchw.siemens.de]
Sent: 24 April 2002 11:01
To: SAP-WUG at MITVMA.MIT.EDU
Subject: AW: Subsitute Authoizations/profiles/roles
 
 
Mark,
 
this would go against one of the prime design principles of the SAP
authorisation concept. Authorisations are allocated to the user, and =
when
you arrange a substitution, the substitute should not have access to =
more
functions automatically, otherwise you could use that to circumvent =
explicit
assignment of authorisations. I would not recommend not to try to =
automate
this process, as you would no doubt get into trouble during an audit =
unless
you log the changes very carefully and keep a full audit trail and =
inform
people that this automatic stuff has happened and....
 
Hth,
Stephan
 
-----Urspr=FCngliche Nachricht-----
Von: mark narra [mailto:mark_narra at mail.com]
Gesendet: Dienstag, 23. April 2002 21:49
An: SAP-WUG at MITVMA.MIT.EDU
Betreff: Subsitute Authoizations/profiles/roles
 
 
WF folks,
 
When a User substitutes another user in SAPinbox/Workplace,
authorizations/roles does not seem to get substituted to the new user. =
Looks
like it will be have to manually added by the security person. Doesn't =
sound
too good.
 
We are currently maintaining roles/authorizations at user-level. Is =
there
any user-exit that we can use to do the custom stuff?
 
Suggestions appreciated.
 
Mark.
--
 
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=3Dsignup