Restrict Display Access of Workflow Log

Dart, Jocelyn jocelyn.dart at sap.com
Mon Jun 27 21:40:08 EDT 2005 

Hi Neil, 

Cool problem!

All HR data is restricted by structural authorisations.  So provided you
have structural authorisations turned on (95% probability if you have
SAP HR) then you could try the following:

1. Ensure all HR data is protected by structural authorisations - this
is the default for all the HR business objects such as EMPLOYEET
2. Make sure you use HR struc auth protected attributes when you build
your work item texts.
3. Your log should then show <variable not found> messages if a
non-authorised user looks at it. 

A couple of things to watch out for:
1. This would definitely work for any work item long text descriptions -
double-check its ok with the short work item text.  If not, what you
could do is use the long text to display sensitive data - i.e. as they
work through the log in GOS etc. they single click on the work item to
see the long text.

2. Be careful to cater for substitutes - e.g. if the work item has to be
processed by a substitute you either need to adjust your structural auth
routines/profiles so the substitute can still view the data, or else
work out business procedures for substitutes - e.g. if HR create the
substitutes at the same time they adjust the HR struc auth temporarily
as per the substitution start/end date. 

Let me know if it works. 

Regards,
Jocelyn Dart
Senior Consultant
SAP Australia Pty Ltd.
Level 1/168 Walker St.
North Sydney 
NSW, 2060
Australia
T   +61 412 390 267
M   + 61 412 390 267
E   jocelyn.dart at sap.com
http://www.sap.com

The information contained in or attached to this electronic transmission
is confidential and may be legally privileged. It is intended only for
the person or entity to which it is addressed. If you are not the
intended recipient, you are hereby notified that any distribution,
copying, review, retransmission, dissemination or other use of this
electronic transmission or the information contained in it is strictly
prohibited. If you have received this electronic transmission in error,
please immediately contact the sender to arrange for the return of the
original documents. 
Electronic transmission cannot be guaranteed to be secure and
accordingly, the sender does not accept liability for any such data
corruption, interception, unauthorized amendment, viruses, delays or the
consequences thereof.
Any views expressed in this electronic transmission are those of the
individual sender, except where the message states otherwise and the
sender is authorized to state them to be the views of SAP AG or any of
its subsidiaries. SAP AG, its subsidiaries, and their directors,
officers and employees make no representation nor accept any liability
for the accuracy or completeness of the views or information contained
herein. Please be aware that the furnishing of any pricing information/
business proposal herein is indicative only, is subject to change and
shall not be construed as an offer or as constituting a binding
agreement on the part of SAP AG or any of its subsidiaries to enter into
any relationship, unless otherwise expressly stated. 


-----Original Message-----
From: sap-wug-bounces at mit.edu [mailto:sap-wug-bounces at mit.edu] On Behalf
Of Neil Thomas
Sent: Monday, 27 June 2005 11:27 PM
To: sap-wug at mit.edu
Subject: Restrict Display Access of Workflow Log

Hello,

I am in the process of building a HR Display Sick Absence workflow
with meaningful text e.g.

Joe Bloggs has met the criteria for a sick interview.

Obviously the work item text also contains meaningful sensitive
information.  

My problem is that a number of other non HR users also have acces to
view the work flow/ item logs for other workflows i.e.  Purchase
Requisition Approval & Employee Trip Approval via transactions SWI1,
SWI2_FREQ etc.

I do not want to remove access for my existing users to the current
workflow log transactions.  So I was wondering if there was a way to
restrict display access to workflow logs by use of security
authorisations/profiles to particualr muliti step tasks and standard
tasks so that they can only see the non HR ones.

I have checked the archive and nothing jumps out at me.

I am on R3 4.6C

Thanking you anticipation.

Neil Thomas

_______________________________________________
SAP-WUG mailing list
SAP-WUG at mit.edu
http://mailman.mit.edu/mailman/listinfo/sap-wug

More information about the SAP-WUG mailing list