WF-BATCH requires.... Workflow Book

Nobles, Diane nobles_dh at naptheon.com
Mon May 20 08:43:05 EDT 2002 

I hope you use lots of visuals/pictures in the book.
 
Eagerly waiting.
 
Diane H. Nobles=20
SDE PM Team=20
(757)380-7250=20
 
 
 
-----Original Message-----
From: Rickayzen, Alan [mailto:alan.rickayzen at sap.com]
Sent: Friday, May 17, 2002 4:17 PM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Re: WF-BATCH requires.... Workflow Book
 
 
Sue,
In fact the authors are Carsten Brennecke, Jocelyn Dart, Alan =
Rickayzen,
Markus Schneider.=20
I submitted the quote because I felt that the fact that the statement =
would
be printed would help pursuade security to be more lenient in this
particular case.
 
Humbly,
Alan
 
 
-----Original Message-----
From: Susan R. Keohan [mailto:skeohan at MIT.EDU]
Sent: Freitag, 17. Mai 2002 15:33
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Re: WF-BATCH requires.... Workflow Book
 
 
Hello Jose,
 
This book, co-authored by Alan and Jocelyn, will be available mid-July =
on
Fatbrain and Amazon.  (I believe the title will be 'Practical Workflow =
in
SAP'.
 
Ordinarily, I would 'gently rebuke' anyone using this list to promote =
any
type of product, but I (and the board members of the ASUG =
Workflow/WebFlow
User Group) feel that the benefit we can all gain from Alan and =
Jocelyn's
work justifies mentioning this book to this particular audience.
 
Regards,
Sue
 
 
>And when will this book be available?
>
>Regards
>
>Jos=E9
>
>-----Original Message-----
>From: Rickayzen, Alan [mailto:alan.rickayzen at sap.com]
>Sent: 15 May 2002 08:34
>To: SAP-WUG at MITVMA.MIT.EDU
>Subject: Re: WF-BATCH requires SAP_ALL & SAP_NEW profiles
>
>
>You've said it all, but this excerpt from our forthcoming workflow =
book
>might nevertheless be of use to you.
>
>"However the background user must have the authorization SAP_ALL if =
the
>workflow system is to function without problems, so it is essential =
that
the
>user executing the automatic workflow customization have this
authorization.
>If necessary, get the system administrator to press the button.
>
>You may well need to reassure the system administrator about this
>authoriza-tion. First of all this user is set as a background user, =
which
>means that no dialog login is possible. Secondly, special =
authorizations
>prevent this RFC destination from being used by programs other than =
the
>WebFlow engine. If you generate the RFC destination and user with =
automatic
>workflow customizing (recommended), then the user cannot be used with =
other
>RFC destinations because the password is not known by anyone, having =
been
>generated randomly."
>
>Apologies to my co-authors for releasing this snippet but Jocelyn is =
out of
>reach, my colleagues in Walldorf are fast asleep and I'm in an =
exuberant
>mood towards the end of a very successful ASUG conference.
>
>Alan Rickayzen
>SAP AG
>
>-----Original Message-----
>From: Zmudzin,Tomasz,VEVEY,GL-DS/DM [mailto:Tomasz.Zmudzin at nestle.com]
>Sent: Mittwoch, 15. Mai 2002 07:02
>To: SAP-WUG at MITVMA.MIT.EDU
>Subject: Re: WF-BATCH requires SAP_ALL & SAP_NEW profiles
>
>
>Although this may seem like a good idea at first, it sounds reasonable =
from
>the security point of view only. You will run into real trouble when =
trying
>to implement & maintain it. Your applications / background tasks will =
check
>authorizations not just for transactions, but also for
>
>- specific objects,
>- object types,
>- object subtypes
>- object subtypes in organizational units,
>- statuses
>- activities
>- (feel free to add more...)
>
>Here the complexity grows a lot, and you cannot expect anyone to =
maintain
>this. What you will see is a lot of "strange" workflow behavior -- =
tasks
>going into error, tasks "hanging" etc.
>
>The WF_BATCH needs to be perceived as a part of the connectivity
>infrastructure. Technically it's a user, but it cannot perform any =
real
>action in dialog. It is a part of the system, needed for its parts to
>communicate freely. Just think of the WF system as not being part of =
the
>Basis, but a separate component that needs to talk to your =
installation.
For
>a somewhat different reasons you will have the same situation when you
>integrate other mySAP components. They will also need an RFC user to
>communicate with your system.
>
>And besides -- if the security needs to be tight, why should complete
>complete RFC admin or S_WF_ALL or S_WF_ADMIN granted so easily?
>
>Kind regards,
>Tomasz
>
>-----Original Message-----
>From: Krishna M.P. [mailto:krishna.pottabatula at exxonmobil.com]
>Sent: Tuesday, May 14, 2002 11:19 PM
>To: SAP-WUG at MITVMA.MIT.EDU
>Subject: Re: WF-BATCH requires SAP_ALL & SAP_NEW profiles
>
>
>Hi Lisa,
>
>I have never tried doing that but It is a good idea to implement. Not =
only
>security point of view but also auditing point of view.
>In my opinion, we may have to give the following areas complete =
authority
>to WF-BATCH.
>
>a) To access all workflow areas.
>          S_WF_ADMIN,
>          S_WF_ALL
>
>b) Complete RFC admin profile ( I am not sure which one it is, check =
with
>the Basis team ) like access to SM59 etc.
>
>c) Create, change and display access for the transactions that you are
>using in your workflows.
>           If you have implemented only PR workflow then only PR
>transactions like ME51, 52 and 53 needs to be given.
>
>The above is only a high level info and my opinion to start with =
something,
>there could be more profiles required than what I mentioned above. In =
any
>case one has to do real good testing to come out with a correct =
profile for
>WF-BATCH. It will vary from company to company and system to system.
>
>Other problems with the above approach is every time you implement a =
new
>workflow you may have to test for security and add the relevant =
security to
>the above profile. So you can predict some extra maintenance because =
of
>this.
>You are the best judge to adopt what you want.
>
>Regards,
>Krishna Pottabatula
>Tel: 713-353-0023;    Fax: 713-353-0038
>Email: Krishna.Pottabatula at exxonmobil.com
>ExxonMobil - GIS/GSA/GATS/SAP Programming Services
>
>
>
>
>
>                    Lisa Hasenbohler
>                    <lhasenbo at agrium.com      To:
SAP-WUG at MITVMA.MIT.EDU
>                    >                         cc:
>                    Sent by: SAP              Subject:     WF-BATCH
requires
>SAP_ALL & SAP_NEW profiles
>                    Workflow
>                    <Owner-SAP-WUG at MITVM
>                    A.MIT.EDU>
>
>
>
>                    05/14/02 03:30 PM
>                    Please respond to
>                    "SAP Workflow Users'
>                    Group"
>
>
>
>
>
>Hi All,
>
>It is recommended that system user WF-BATCH be assigned SAP_ALL and
>SAP_NEW, however, our policy is that SAP_ALL or SAP_NEW should only be =
used
>in the Production Environment when absolutely necessary (even for
>non-dialog users).
>
>Before I go and attempt to build a new role or profile for WF-BATCH, I
>thought I would ask if anyone has developed or attempted to develop =
their
>own role/profile for WF-BATCH and if they could share their experience =
with
>me.
>
>Thanks,
>Lisa Hasenbohler
 
 
Susan R. Keohan
Senior SAP Developer
Massachusetts Institute of Technology
77 Mass. Avenue, BLDG W92-210
Cambridge, MA. 02139
(617)258-9197
skeohan at mit.edu

More information about the SAP-WUG mailing list