WF-Batch User: SAP_ALL access required for SWU3 Customization?

Mike Pokraka wug at workflowconnections.com
Tue Apr 13 10:00:57 EDT 2010 

All I know is that tracking down errors related to authorisations can be
hellishly difficult, and this becomes even worse when WF-BATCH is
involved.
So ask yourself: do you feel lucky?

If you have appropriate safeguards in place then the measures mentioned by
Michael below should suffice.
It's a bit of a reverse catch-22: the loopholes needed to be able to
exploit WF-BATCH are such that anyone wanting to misuse it wouldn't need
WF-BATCH. It's a bit like locking your batchroom door to secure your house
because someone could breaking in through your bathroom window.

Cheers,
Mike


On Mon, April 12, 2010 2:52 pm, michael.mcley at daimler.com wrote:
> Miguel,
>
> I do not have direct experience with limiting the authorizations of
> WF-BATCH.  However...
>
> Practical Workflow for SAP, 2nd Edition Section 3.1.2 (page 88 in the
> hardbound edition) states:
>
> "...However the background user <meaning WF-BATCH> must have the
> authorization SAP_ALL if the workflow system is to function without
> problems ..."
>
> The text goes further to say (and I'll paraphrase) that user WF-BATCH can
> be configured as a system user (no GUI login possible).  You can also
> configure your security so that the RFC destination WORKFLOW_LOCAL_xxx
> cannot be used by programs other than the workflow engine.  If this user
> and RFC destination were configured automatically then WF-BATCH also has a
> password that is generated randomly and cannot be used with other RFC
> destinations because no one knows the password.
>
> The text mentions SAP Note 1251255 as options to limit the security of
> WF-BATCH.  The book also mentions that implementing this note is kind of a
> headache.
>
> If you have already bought Practical Workflow for SAP ('da big book O'
> workflow) and have read this, then please ignore and my apologies.
> Otherwise it is the best $79.95 you will ever spend for an SAP book -
> assuming you regularly work in workflow.  Maybe you can use its
> recommendations to push back on your auditors.
>
> If that doesn't work, the book has 953 pages and you can always throw it
> at them ;-)
>
>
>
> Michael McLey
> MBUSI - IT Parts & Administration
> Mercedes-Benz US International, Inc.
> 1 Mercedes Drive
> Vance, AL 35490
> PHONE:  (205) 462 - 5239
> EMAIL:   michael.mcley at daimler.com
>
>
>
> VieraM at dhcmc.com
> Sent by: sap-wug-bounces at mit.edu
> 04/12/2010 07:50 AM
> Please respond to
> sap-wug at mit.edu
>
>
> To
> sap-wug at mit.edu
> cc
>
> Subject
> WF-Batch User: SAP_ALL access required for SWU3 Customization?
>
>
>
>
>
>
> Hello all,
>
> Wanted to know if anyone has had to limit the authorization to the
> WF-Batch User that has to be set-up to configure the Workflow System in
> SAP?  Our internal auditors do not like the fact that it is currently
> assigned the SAP_ALL role which seems to be what is recommended in
> workflow circles as well as by SAP.
>
> Any insight would be greatly appreciated.
>
> Thanks,
>
> Miguel R. Viera
> Deere-Hitachi C.M.C
> SAP Business Analyst for FI-CO & SD Modules
> Workflow Admin. & Winshuttle Template Designer
> Phone: (336) 992-5759
>
> "Let us realize that the privilege to work is a gift, that power to work
> is a blessing, that love of work is success." David O. McKay
>
>
>  _______________________________________________
> SAP-WUG mailing list
> SAP-WUG at mit.edu
> http://mailman.mit.edu/mailman/listinfo/sap-wug
>
>
>
> If you are not the intended addressee, please inform us immediately that
> you have received this e-mail in error, and delete it. We thank you for
> your cooperation.  _______________________________________________
> SAP-WUG mailing list
> SAP-WUG at mit.edu
> http://mailman.mit.edu/mailman/listinfo/sap-wug
>

More information about the SAP-WUG mailing list