WF_ADMIN is dying?

Kjetil Kilhavn KJETILK at statoil.com
Mon Jan 16 02:39:19 EST 2006 

I tried using the "I am not the one to discuss this with, contact SAP" approach, referring to the documentation that states SAP_ALL and SAP_NEW should be assigned to WF-BATCH. Can't tell you any details of our solution, but the point was taken by security.
-- 
Kjetil Kilhavn, Statoil ØFT KTJ ITS BKS SAP Basis
 

> -----Original Message-----
> From: sap-wug-bounces at mit.edu 
> [mailto:sap-wug-bounces at mit.edu] On Behalf Of Stephens, Monique S L
> Sent: 13. januar 2006 16:33
> To: SAP Workflow Users' Group
> Subject: RE: WF_ADMIN is dying?
> 
> I would agree.  But, we are getting pressure from our 
> security team to not allow any ID to have SAP_ALL access.  
> This would also include the BATCH ID's.  There is a push to 
> create new ID's specific to the jobs they would be running 
> and give that ID the appropriate security access to 
> accomplish those jobs.  For example, our PO's were being 
> created with a job under BATCH-BC.  We have changed that to 
> BATCH-SRM and eventually this new ID will only have the 
> necessary security to run the background jobs as that user ID.
> 
> I wish I could give our security and audit teams a good 
> reason to allow these non-dialog IDs to have SAP_ALL access.
> 
> Monique Stephens
> 
> -----Original Message-----
> From: sap-wug-bounces at mit.edu 
> [mailto:sap-wug-bounces at mit.edu] On Behalf Of Shrestha, Bijay
> Sent: Friday, January 13, 2006 8:30 AM
> To: SAP Workflow Users' Group; SAP Workflow Users' Group
> Subject: RE: WF_ADMIN is dying?
> 
> SAP's document recommends to have SAP_ALL. The main reason is 
> workflow is cross application it could go to any application 
> area. If you give SAP_ALL to this system ID you don't have to 
> add security for each Workflow application that you are going 
> to activate.
>  
> Another good point is, this is system id NOT Dialog id so 
> this ID could be treated as any other Batch id which runs for 
> Background jobs etc.
>  
> Bijay Shrestha
> Sr. Consultant
> Pragmatek Consulting Group
>  
> 
> 	-----Original Message----- 
> 	From: sap-wug-bounces at mit.edu on behalf of Stephens, 
> Monique S L 
> 	Sent: Fri 1/13/2006 7:40 AM 
> 	To: SAP Workflow Users' Group 
> 	Cc: 
> 	Subject: RE: WF_ADMIN is dying?
> 	
> 	
> 
> 	Our company is about to change security for our 
> non-dialog users as well because of SOX.  Are you saying that 
> WF-BATCH should keep SAP_ALL even with SOX?  If so, can you 
> provide me the reasons so that I can inform our security 
> people.  I agree that the ID should keep SAP_ALL.  But, I need to give
> 	them valid reasons.
> 	
> 	Monique Stephens
> 	
> 	-----Original Message-----
> 	From: sap-wug-bounces at mit.edu 
> [mailto:sap-wug-bounces at mit.edu] On Behalf Of Dart, Jocelyn
> 	Sent: Thursday, January 12, 2006 11:27 PM
> 	To: SAP Workflow Users' Group
> 	Subject: RE: WF_ADMIN is dying?
> 	
> 	WF-BATCH is the required workflow id.  There is no 
> requirement for a
> 	WF-ADMIN or WF_ADMIN or WF_BATCH.
> 	WF-BATCH must have SAP_ALL - but should also be a 
> non-dialog user.
> 	I guess you need to assign your workflow administration 
> functions to the
> 	appropriate people
> 	and put either a single userid or a position/org unit 
> in SWU3, SWEQADM,
> 	etc.
> 	
> 	
> 	Regards,
> 	Jocelyn Dart
> 	Senior Consultant
> 	SAP Australia Pty Ltd.
> 	Level 1/168 Walker St.
> 	North Sydney
> 	NSW, 2060
> 	Australia
> 	T   +61 412 390 267
> 	M   + 61 412 390 267
> 	E   jocelyn.dart at sap.com
> 	http://www.sap.com
> 	
> 	The information contained in or attached to this 
> electronic transmission
> 	is confidential and may be legally privileged. It is 
> intended only for
> 	the person or entity to which it is addressed. If you 
> are not the
> 	intended recipient, you are hereby notified that any 
> distribution,
> 	copying, review, retransmission, dissemination or other 
> use of this
> 	electronic transmission or the information contained in 
> it is strictly
> 	prohibited. If you have received this electronic 
> transmission in error,
> 	please immediately contact the sender to arrange for 
> the return of the
> 	original documents.
> 	Electronic transmission cannot be guaranteed to be secure and
> 	accordingly, the sender does not accept liability for 
> any such data
> 	corruption, interception, unauthorized amendment, 
> viruses, delays or the
> 	consequences thereof.
> 	Any views expressed in this electronic transmission are 
> those of the
> 	individual sender, except where the message states 
> otherwise and the
> 	sender is authorized to state them to be the views of 
> SAP AG or any of
> 	its subsidiaries. SAP AG, its subsidiaries, and their directors,
> 	officers and employees make no representation nor 
> accept any liability
> 	for the accuracy or completeness of the views or 
> information contained
> 	herein. Please be aware that the furnishing of any 
> pricing information/
> 	business proposal herein is indicative only, is subject 
> to change and
> 	shall not be construed as an offer or as constituting a binding
> 	agreement on the part of SAP AG or any of its 
> subsidiaries to enter into
> 	any relationship, unless otherwise expressly stated.
> 	
> 	
> 	-----Original Message-----
> 	From: sap-wug-bounces at mit.edu 
> [mailto:sap-wug-bounces at mit.edu] On Behalf
> 	Of Sue Keohan
> 	Sent: Friday, 13 January 2006 1:27 PM
> 	To: SAP Workflow Users' Group
> 	Subject: Re: WF_ADMIN is dying?
> 	
> 	Hi Sherman,
> 	
> 	We don't even use a WF_ADMIN ID. We have WF_BATCH, 
> sure, and it needs
> 	all the authorizations, and is a non-dialog account, 
> but as for the
> 	actual administrator(s), we specify a user 
> (non-generic) in customizing,
> 	
> 	and I have the necessary authorizations to 
> trouble-shoot. If I don't, my
> 	
> 	friends in Basis are very accomodating to help keep the business
> 	flowing.
> 	
> 	Hope this helps,
> 	Sue
> 	
> 	Wright, Sherman wrote:
> 	
> 	> Hi All -
> 	>
> 	> Our auditors have informed me that, due to Sarbanes Oxley, the
> 	> WF_ADMIN ID in our production system will be changed. 
> The choices are
> 	> that it be 1) De-activated; 2) Converted to a 
> NON-Dialog account; or
> 	> 3) that it will have the BARE MINIMUM Display-ONLY 
> access. The idea is
> 	
> 	> that, since we have shared firefighter IDs, one of 
> those can be used
> 	> for anything necessary. In trying to document the use 
> and need for the
> 	
> 	> WF_ADMIN, I went to the SAP Library - SAP Business Workflow
> 	>
> 	
> (http://help.sap.com/saphelp_erp2004/helpdata/en/a5/172437130e
> 0d09e10000
> 	009b38f839/frameset.htm)
> 	> as well as a couple of other sites (SDN, and the WUG 
> Archives).
> 	> Surprisingly, I was unable to find ANYTHING about the 
> need and uses of
> 	
> 	> the WF_ADMIN User ID. Is it a thing of the past? Has 
> Sarbanes Oxley
> 	> already killed it (they REALLY don't like "generic" 
> IDs, you know...)?
> 	>
> 	> I have surprisingly mixed feelings about this. I 
> understand what they
> 	> are saying, and why they feel the way they do. But at 
> the same time,
> 	> I'm used to doing things a certain way (8-1/2 years 
> now) and I really
> 	> resent the "intrusion".
> 	>
> 	> Anyway, how would YOU feel? IS there a necessity for 
> the WF_ADMIN ID?
> 	> Are there things for which ONLY the WF_ADMIN ID 
> should be used? Can it
> 	
> 	> all be done by properly authorized individuals? Am I 
> clinging to a
> 	> relic of the past? I'd really like to hear your opinions...
> 	>
> 	> And thank you for letting me vent to the only group 
> of people that
> 	> would have any idea of what I'm talking about! :^)
> 	>
> 	> Regards,
> 	> Sherman
> 	>
> 	
> >-------------------------------------------------------------
> ----------
> 	-
> 	>
> 	>_______________________________________________
> 	>SAP-WUG mailing list
> 	>SAP-WUG at mit.edu
> 	>http://mailman.mit.edu/mailman/listinfo/sap-wug
> 	> 
> 	>
> 	_______________________________________________
> 	SAP-WUG mailing list
> 	SAP-WUG at mit.edu
> 	http://mailman.mit.edu/mailman/listinfo/sap-wug
> 	
> 	_______________________________________________
> 	SAP-WUG mailing list
> 	SAP-WUG at mit.edu
> 	http://mailman.mit.edu/mailman/listinfo/sap-wug
> 	
> 	_______________________________________________
> 	SAP-WUG mailing list
> 	SAP-WUG at mit.edu
> 	http://mailman.mit.edu/mailman/listinfo/sap-wug
> 	
> 
> 
> _______________________________________________
> SAP-WUG mailing list
> SAP-WUG at mit.edu
> http://mailman.mit.edu/mailman/listinfo/sap-wug
> 
> _______________________________________________
> SAP-WUG mailing list
> SAP-WUG at mit.edu
> http://mailman.mit.edu/mailman/listinfo/sap-wug
> 


-------------------------------------------------------------------
The information contained in this message may be CONFIDENTIAL and is
intended for the addressee only. Any unauthorised use, dissemination of the
information or copying of this message is prohibited. If you are not the
addressee, please notify the sender immediately by return e-mail and delete
this message.
Thank you.

More information about the SAP-WUG mailing list