WF-BATCH requires.... Workflow Book

Susan R. Keohan skeohan at MIT.EDU
Fri May 17 09:33:28 EDT 2002 

Hello Jose,
 
This book, co-authored by Alan and Jocelyn, will be available mid-July on
=46atbrain and Amazon.  (I believe the title will be 'Practical Workflow in
SAP'.
 
Ordinarily, I would 'gently rebuke' anyone using this list to promote any
type of product, but I (and the board members of the ASUG Workflow/WebFlow
User Group) feel that the benefit we can all gain from Alan and Jocelyn's
work justifies mentioning this book to this particular audience.
 
Regards,
Sue
 
 
>And when will this book be available?
>
>Regards
>
>Jos=E9
>
>-----Original Message-----
>From: Rickayzen, Alan [mailto:alan.rickayzen at sap.com]
>Sent: 15 May 2002 08:34
>To: SAP-WUG at MITVMA.MIT.EDU
>Subject: Re: WF-BATCH requires SAP_ALL & SAP_NEW profiles
>
>
>You've said it all, but this excerpt from our forthcoming workflow book
>might nevertheless be of use to you.
>
>"However the background user must have the authorization SAP_ALL if the
>workflow system is to function without problems, so it is essential that th=
e
>user executing the automatic workflow customization have this authorization=
=2E
>If necessary, get the system administrator to press the button.
>
>You may well need to reassure the system administrator about this
>authoriza-tion. First of all this user is set as a background user, which
>means that no dialog login is possible. Secondly, special authorizations
>prevent this RFC destination from being used by programs other than the
>WebFlow engine. If you generate the RFC destination and user with automatic
>workflow customizing (recommended), then the user cannot be used with other
>RFC destinations because the password is not known by anyone, having been
>generated randomly."
>
>Apologies to my co-authors for releasing this snippet but Jocelyn is out of
>reach, my colleagues in Walldorf are fast asleep and I'm in an exuberant
>mood towards the end of a very successful ASUG conference.
>
>Alan Rickayzen
>SAP AG
>
>-----Original Message-----
>From: Zmudzin,Tomasz,VEVEY,GL-DS/DM [mailto:Tomasz.Zmudzin at nestle.com]
>Sent: Mittwoch, 15. Mai 2002 07:02
>To: SAP-WUG at MITVMA.MIT.EDU
>Subject: Re: WF-BATCH requires SAP_ALL & SAP_NEW profiles
>
>
>Although this may seem like a good idea at first, it sounds reasonable from
>the security point of view only. You will run into real trouble when trying
>to implement & maintain it. Your applications / background tasks will check
>authorizations not just for transactions, but also for
>
>- specific objects,
>- object types,
>- object subtypes
>- object subtypes in organizational units,
>- statuses
>- activities
>- (feel free to add more...)
>
>Here the complexity grows a lot, and you cannot expect anyone to maintain
>this. What you will see is a lot of "strange" workflow behavior -- tasks
>going into error, tasks "hanging" etc.
>
>The WF_BATCH needs to be perceived as a part of the connectivity
>infrastructure. Technically it's a user, but it cannot perform any real
>action in dialog. It is a part of the system, needed for its parts to
>communicate freely. Just think of the WF system as not being part of the
>Basis, but a separate component that needs to talk to your installation. Fo=
r
>a somewhat different reasons you will have the same situation when you
>integrate other mySAP components. They will also need an RFC user to
>communicate with your system.
>
>And besides -- if the security needs to be tight, why should complete
>complete RFC admin or S_WF_ALL or S_WF_ADMIN granted so easily?
>
>Kind regards,
>Tomasz
>
>-----Original Message-----
>From: Krishna M.P. [mailto:krishna.pottabatula at exxonmobil.com]
>Sent: Tuesday, May 14, 2002 11:19 PM
>To: SAP-WUG at MITVMA.MIT.EDU
>Subject: Re: WF-BATCH requires SAP_ALL & SAP_NEW profiles
>
>
>Hi Lisa,
>
>I have never tried doing that but It is a good idea to implement. Not only
>security point of view but also auditing point of view.
>In my opinion, we may have to give the following areas complete authority
>to WF-BATCH.
>
>a) To access all workflow areas.
>          S_WF_ADMIN,
>          S_WF_ALL
>
>b) Complete RFC admin profile ( I am not sure which one it is, check with
>the Basis team ) like access to SM59 etc.
>
>c) Create, change and display access for the transactions that you are
>using in your workflows.
>           If you have implemented only PR workflow then only PR
>transactions like ME51, 52 and 53 needs to be given.
>
>The above is only a high level info and my opinion to start with something,
>there could be more profiles required than what I mentioned above. In any
>case one has to do real good testing to come out with a correct profile for
>WF-BATCH. It will vary from company to company and system to system.
>
>Other problems with the above approach is every time you implement a new
>workflow you may have to test for security and add the relevant security to
>the above profile. So you can predict some extra maintenance because of
>this.
>You are the best judge to adopt what you want.
>
>Regards,
>Krishna Pottabatula
>Tel: 713-353-0023;    Fax: 713-353-0038
>Email: Krishna.Pottabatula at exxonmobil.com
>ExxonMobil - GIS/GSA/GATS/SAP Programming Services
>
>
>
>
>
>                    Lisa Hasenbohler
>                    <lhasenbo at agrium.com      To:     SAP-WUG at MITVMA.MIT.ED=
U
>                    >                         cc:
>                    Sent by: SAP              Subject:     WF-BATCH require=
s
>SAP_ALL & SAP_NEW profiles
>                    Workflow
>                    <Owner-SAP-WUG at MITVM
>                    A.MIT.EDU>
>
>
>
>                    05/14/02 03:30 PM
>                    Please respond to
>                    "SAP Workflow Users'
>                    Group"
>
>
>
>
>
>Hi All,
>
>It is recommended that system user WF-BATCH be assigned SAP_ALL and
>SAP_NEW, however, our policy is that SAP_ALL or SAP_NEW should only be used
>in the Production Environment when absolutely necessary (even for
>non-dialog users).
>
>Before I go and attempt to build a new role or profile for WF-BATCH, I
>thought I would ask if anyone has developed or attempted to develop their
>own role/profile for WF-BATCH and if they could share their experience with
>me.
>
>Thanks,
>Lisa Hasenbohler
 
 
Susan R. Keohan
Senior SAP Developer
Massachusetts Institute of Technology
77 Mass. Avenue, BLDG W92-210
Cambridge, MA. 02139
(617)258-9197
skeohan at mit.edu

More information about the SAP-WUG mailing list