Substitute Authorizations/profiles/roles

Sherman Wright swright at lsil.com
Thu Apr 25 20:15:36 EDT 2002 

Hi all -
 
I thought I'd throw my two cents in:
 
Here, since I'm the Workflow Admin and the Security Admin, we have tried to
prevent too much work when this type of thing happens.  The main
authorization that we use for requisition approvals is the authorization
object M_EINK_FRG (Release Code and Group [Purchasing]).  We have separated
the release codes into two groups: finance (Controller, 1st Level Controller
and VP Finance) and organizational (Supervisor, Department Manager,
Director, Vice President and Executive Vice President), so we have two (2)
approval roles.  Anybody that takes the workflow approval training gets one
(or both) of the roles depending on their responsibilities.  The safeguard
is that no one can use the approval authorization unless a) that person is a
regular approver identified through the HR Organizational Structure; b) that
person is set up as someone's substitute; or c) a work item is forwarded to
that person.  In other words, if you never get anything to approve, having
the ability to approve something is not a security risk...  Anyway, it works
for us (so far...).
 
Regards,
Sherman
 
 
-----Original Message-----
From: SAP Workflow [mailto:Owner-SAP-WUG at MITVMA.MIT.EDU]On Behalf Of
Dart, Jocelyn
Sent: Thursday, April 25, 2002 4:23 PM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Re: Substitute Authorizations/profiles/roles
 
 
Hi Mark,
Yes agree with all the comments, plus if you have HR structural
authorisations turned on that's an even more difficult area to
traverse.
 
I've just been involved with a substitution project.  Best advise is
to consider what you really want the substitute to be able to do, and
what substitution relationships you will allow with the original agent.
(e.g. active, passive, all, restricted, substitution to peers, substitution
to anyone?)
 
If you want workflow to control substitution, the simplest option is a
user decision/forms-based approach, where any data the user can see is
presented to an agent as a user decision or form, and any replies are
gathered using user decision outcomes or form container elements.
Such work items can be set up so that workflow only controls the security,
without bringing additional transaction authorisations and HR structural
authorisations into the scenario.
 
Then have WF-BATCH apply the chosen outcome to the data involved, as Raj
suggests.
 
The workflow log then becomes your audit trail of who did what.
 
You can get quite sophisticated in this area if you want to.  For instance
I've written rules (standard roles) that check if a user has an active
substitute
before making a final decision as to who is the appropriate agent.
 
Regards,
        Jocelyn Dart
Consultant (EBP, BBP, Ecommerce, Internet Transaction Server, Workflow)
SAP Australia
Email jocelyn.dart at sap.com <mailto:jocelyn.dart at sap.com>
Tel: +61 412 390 267
Fax: +61 2 9935 4880
 
 
-----Original Message-----
From: Das, Raj [mailto:c-rdas at state.pa.us]
Sent: Thursday, 25 April 2002 11:12 PM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Re: Substitute Authorizations/profiles/roles
 
 
This is one very interesting topic and need to be carefully reviewed.
 
Let us think about practical scenario. I create a Purchase Order and route
to the inbox of Approver for a particular release code. As long as approver
approves which takes care of release code it is perfectly OK.
 
Question comes : If approver is going on vacation and he knows in advance
and he can substitute someone to take action in his absence. Without the
workflow process, in real business world it happens. And we want this
functionality in workflow as well. Problem comes for the security. Because
the approver has been assigned the security profile which allow him/her to
release the Purchase Order. Then do we need to give security to the
substituter??? If one has to provide each and evry substituter the security
access that is a real business hassle. Practically we do not have to give
the security to the substituter. One has to design his/her workflow in such
a way that process should be done in backgound with WF-BATCH. When approver
substitute someone and substituter approves it , it all well recorded in
workflow log. So there is an audit trail. Which is 100% conformity with the
real business process without the workflow. One can always find who finally
approved it and from the log one can find who is the original approver.
 
It is his responsibilty why he substituted some one in workflow.Without the
workflow also same scenario if he/she has allowed to do some of his/her job
in absence. No security breaches!!!
 
Hope it helps.
 
Thanx
Raj Das
Workflow Architect
Imagine PA
 
-----Original Message-----
From: Kisloff, Philip B [mailto:Philip.Kisloff at astrazeneca.com]
Sent: Wednesday, April 24, 2002 6:45 AM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Re: Substitute Authorizations/profiles/roles
 
 
Mark,
 
I agree with Stephan, but the flip side to your question is when custom
workflows
allow approvals (with no authorisation concept involved) and you don't want
all types
of workflows to be accessed by your substitute. This can be restricted based
on substitute profiles for workflow classes.
 
Regards
 
Phil
 
 
-----Original Message-----
From: Becker Stephan (extern)
[mailto:Stephan.Becker.ext at mchw.siemens.de]
Sent: 24 April 2002 11:01
To: SAP-WUG at MITVMA.MIT.EDU
Subject: AW: Subsitute Authoizations/profiles/roles
 
 
Mark,
 
this would go against one of the prime design principles of the SAP
authorisation concept. Authorisations are allocated to the user, and when
you arrange a substitution, the substitute should not have access to more
functions automatically, otherwise you could use that to circumvent explicit
assignment of authorisations. I would not recommend not to try to automate
this process, as you would no doubt get into trouble during an audit unless
you log the changes very carefully and keep a full audit trail and inform
people that this automatic stuff has happened and....
 
Hth,
Stephan
 
-----Urspr|ngliche Nachricht-----
Von: mark narra [mailto:mark_narra at mail.com]
Gesendet: Dienstag, 23. April 2002 21:49
An: SAP-WUG at MITVMA.MIT.EDU
Betreff: Subsitute Authoizations/profiles/roles
 
 
WF folks,
 
When a User substitutes another user in SAPinbox/Workplace,
authorizations/roles does not seem to get substituted to the new user. Looks
like it will be have to manually added by the security person. Doesn't sound
too good.
 
We are currently maintaining roles/authorizations at user-level. Is there
any user-exit that we can use to do the custom stuff?
 
Suggestions appreciated.
 
Mark.
--
 
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

More information about the SAP-WUG mailing list