WF-BATCH requires SAP_ALL & SAP_NEW profiles
Zmudzin,Tomasz,VEVEY,GL-DS/DM
Tomasz.Zmudzin at nestle.com
Wed May 15 01:02:15 EDT 2002
Although this may seem like a good idea at first, it sounds reasonable from
the security point of view only. You will run into real trouble when trying
to implement & maintain it. Your applications / background tasks will check
authorizations not just for transactions, but also for
- specific objects,
- object types,
- object subtypes
- object subtypes in organizational units,
- statuses
- activities
- (feel free to add more...)
Here the complexity grows a lot, and you cannot expect anyone to maintain
this. What you will see is a lot of "strange" workflow behavior -- tasks
going into error, tasks "hanging" etc.
The WF_BATCH needs to be perceived as a part of the connectivity
infrastructure. Technically it's a user, but it cannot perform any real
action in dialog. It is a part of the system, needed for its parts to
communicate freely. Just think of the WF system as not being part of the
Basis, but a separate component that needs to talk to your installation. For
a somewhat different reasons you will have the same situation when you
integrate other mySAP components. They will also need an RFC user to
communicate with your system.
And besides -- if the security needs to be tight, why should complete
complete RFC admin or S_WF_ALL or S_WF_ADMIN granted so easily?
Kind regards,
Tomasz
-----Original Message-----
From: Krishna M.P. [mailto:krishna.pottabatula at exxonmobil.com]
Sent: Tuesday, May 14, 2002 11:19 PM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Re: WF-BATCH requires SAP_ALL & SAP_NEW profiles
Hi Lisa,
I have never tried doing that but It is a good idea to implement. Not only
security point of view but also auditing point of view.
In my opinion, we may have to give the following areas complete authority
to WF-BATCH.
a) To access all workflow areas.
S_WF_ADMIN,
S_WF_ALL
b) Complete RFC admin profile ( I am not sure which one it is, check with
the Basis team ) like access to SM59 etc.
c) Create, change and display access for the transactions that you are
using in your workflows.
If you have implemented only PR workflow then only PR
transactions like ME51, 52 and 53 needs to be given.
The above is only a high level info and my opinion to start with something,
there could be more profiles required than what I mentioned above. In any
case one has to do real good testing to come out with a correct profile for
WF-BATCH. It will vary from company to company and system to system.
Other problems with the above approach is every time you implement a new
workflow you may have to test for security and add the relevant security to
the above profile. So you can predict some extra maintenance because of
this.
You are the best judge to adopt what you want.
Regards,
Krishna Pottabatula
Tel: 713-353-0023; Fax: 713-353-0038
Email: Krishna.Pottabatula at exxonmobil.com
ExxonMobil - GIS/GSA/GATS/SAP Programming Services
Lisa Hasenbohler
<lhasenbo at agrium.com To: SAP-WUG at MITVMA.MIT.EDU
> cc:
Sent by: SAP Subject: WF-BATCH requires
SAP_ALL & SAP_NEW profiles
Workflow
<Owner-SAP-WUG at MITVM
A.MIT.EDU>
05/14/02 03:30 PM
Please respond to
"SAP Workflow Users'
Group"
Hi All,
It is recommended that system user WF-BATCH be assigned SAP_ALL and
SAP_NEW, however, our policy is that SAP_ALL or SAP_NEW should only be used
in the Production Environment when absolutely necessary (even for
non-dialog users).
Before I go and attempt to build a new role or profile for WF-BATCH, I
thought I would ask if anyone has developed or attempted to develop their
own role/profile for WF-BATCH and if they could share their experience with
me.
Thanks,
Lisa Hasenbohler
More information about the SAP-WUG
mailing list