SAP_ALL SAP_NEW

Dart, Jocelyn jocelyn.dart at sap.com
Thu Jun 2 20:39:08 EDT 2011 

Edward,
FYI Don't forget that if you have HR you also need to give WF-BATCH blanket HR Structural Auths... which is controlled through a configuration table.

A few approaches that I find useful when this hoary old question comes up....
Have you checked to see if they have any Batch / System / Communication users with SAP_ALL, SAP _NEW for running batch jobs or to support integration?  WF-BATCH user id should be positioned as that type of user.   After all the point is that WF-BATCH is being used to AVOID giving dialog users additional security but still give access to relevant process information in a controlled manner.     Also all activities by WF-BATCH and by dialog users is being logged as part of the workflow log.  You need to get down to what are their real concerns and pick them off one by one... don't forget to throw in the TCO of continually adjusting WF-BATCH security and the disruption to the business that would cause as processes fail due to authorisation issues.   And talk about Best Practice - Best Practice is NOT to restrict WF-BATCH for all of the above reasons and because as Mike indicates... continuing pain follows thereafter for what is often an esoteric concern about possible exposure.

Good luck.
Jocelyn


From: sap-wug-bounces at mit.edu [mailto:sap-wug-bounces at mit.edu] On Behalf Of Mike Gambier
Sent: Friday, 3 June 2011 8:39 AM
To: sap-wug at mit.edu
Subject: RE: SAP_ALL SAP_NEW

My sympathies.

I've seen 2 clients try and fail dismally to not give WF-BATCH SAP_ALL and instead try and cobble together their own profile for a while in the misguided belief it would be a more 'secure' approach.

In both cases the urge was brought on by some Audit report that overlooked the need to keep system user profiles up to date with authorisation object changes or face potentially huge work backloads trying to sort out the mess when inevitably someone missed something they couldn't be expected to have spotted coming through via an OSS Note of custom change or whatever.

In the end, the amount of new software patches, enhancement packs and upgrades forced them to change their minds and instead invest some confidence in their SAP Basis people to keep the Workflow password setting under lock and key - just as they would normally do with other user profiles like the 'normal' BATCH.

I hope sense prevails eventually for you...

Mike GT

________________________________
From: edwarddiehl at hotmail.com
To: sap-wug at mit.edu
Subject: RE: SAP_ALL SAP_NEW
Date: Thu, 2 Jun 2011 15:23:22 -0500

Yes, thanks Mike.  What we're dealing with here is a bureaucracy.
________________________________
From: madgambler at hotmail.com
Subject: Re: SAP_ALL SAP_NEW
Date: Thu, 2 Jun 2011 21:02:04 +0100
To: madgambler at hotmail.com
CC: sap-wug at mit.edu
Ah my bad, you explained your WF-BATCH user hasn't been given this for some reason? Um, why would you do that? Surely you need your Workflows to have almost superuser auths?

Mike GT

Sent from my iPhone

On 2 Jun 2011, at 21:00, Madgambler <madgambler at hotmail.com<mailto:madgambler at hotmail.com>> wrote:
Presumably you have tried regenerating SAP_ALL in the target system?

Worth a mention just in case somebody forgot?

Mike GT

Sent from my iPhone

On 2 Jun 2011, at 20:41, Edward Diehl <edwarddiehl at hotmail.com<mailto:edwarddiehl at hotmail.com>> wrote:
Thanks, Eddie, but therein lies the problem.  We've applied the note and we are still left with tasks failing because of no-authorization - and these failed to show up on the Security's authorization trace.

As I asked, is anyone out there successfully using workflow where WF-BATCH does not have SAP_ALL AND SAP_NEW?

Ed
________________________________
From: eddie.morris at sap.com<mailto:eddie.morris at sap.com>
To: sap-wug at mit.edu<mailto:sap-wug at mit.edu>
Date: Thu, 2 Jun 2011 20:54:19 +0200
Subject: RE: SAP_ALL SAP_NEW
Hi Ed,

Take a look at note 1251255 which introduces SAP_BC_BMT_WFM_SERV_USER. It takes care of the authorization for the workflow runtime but you still need to add application specific authorizations.

KBA 1574002 also gives details.

Regards,
Eddie

From: sap-wug-bounces at mit.edu<mailto:sap-wug-bounces at mit.edu> [mailto:sap-wug-bounces at mit.edu] On Behalf Of Edward Diehl
Sent: 02 June 2011 19:33
To: sap-wug at mit.edu<mailto:sap-wug at mit.edu>
Subject: RE: SAP_ALL SAP_NEW

Is anyone out there successfully using workflow with WF-BATCH carrying something other than SAP_ALL & SAP_NEW security roles?

I'm sure many of you have confronted this issue.  I would be interested to hear your experience(s).

Thanks,
Ed

_______________________________________________ SAP-WUG mailing list SAP-WUG at mit.edu<mailto:SAP-WUG at mit.edu> http://mailman.mit.edu/mailman/listinfo/sap-wug
_______________________________________________
SAP-WUG mailing list
SAP-WUG at mit.edu<mailto:SAP-WUG at mit.edu>
http://mailman.mit.edu/mailman/listinfo/sap-wug

_______________________________________________ SAP-WUG mailing list SAP-WUG at mit.edu http://mailman.mit.edu/mailman/listinfo/sap-wug
_______________________________________________ SAP-WUG mailing list SAP-WUG at mit.edu http://mailman.mit.edu/mailman/listinfo/sap-wug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/sap-wug/attachments/20110603/88643fe7/attachment.htm

More information about the SAP-WUG mailing list