1251255 - Authorizations for the System User (WF-BATCH)
2
SAP Security Note Header Data Symptom You use a system user to execute and manage workflows. This sytem user has been defined in the RFC destination WORKFLOW_LOCAL_<client>. In most cases, this is called WF-BATCH. However, you can define a different user. The authorization profile SAP_ALL is assigned to the system user. You want to restrict the authorizations of the system user. Other Terms PFCG Reason and Prerequisites You can create the RFC destination WORKFLOW_LOCAL_<client> using transaction SWU3 (Automatic Workflow Customizing), activity 'Configure RFC Destination'. If you use the function 'Perform Automatic Workflow Customizing (F9)' to do this, the system also creates the user WF-BATCH if it does not yet exist. In this case, the system assigns all of the profiles of the user who executes transaction SWU3 to this user. The system may assign the profile SAP_ALL as a result. In addition, no corresponding PFCG role is available to restrict the authorizations of the system user. Solution This note provides a correction and a new PFCG role. After you implement this correction, the system ensures that the profile SAP_ALL is never assigned to the user WF-BATCH when you use the function 'Perform Automatic Workflow Customizing (F9)'. The correction is available as of SAP_BASIS 610 (see the correction instructions). The function for the activity 'Configure RFC Destination' is not available in lower releases. As a result, the profile SAP_ALL is not assigned to the user WF-BATCH when you use transaction SWU3 in these releases. In addition, the PFCG role SAP_BC_BMT_WFM_SERV_USER is delivered for SAP_BASIS 640 and higher releases. This role contains all necessary authorizations that the workflow runtime for the accesses requires to execute and manage workflows. However, it does not contain any application-specific authorizations. To use the SAP Business Workflow within an application, you usually require additional application-specific authorizations. If you want to restrict the authorization of the system user, proceed as follows: l Set the plan version in the role SAP_BC_BMT_WFM_SERV_USER The role contains, for example, the authorization object PLOG (personnel planning). Assign your active plan version to the Plan Version field and generate the authorization profile. l Assign the role SAP_BC_BMT_WFM_SERV_USER Use the user maintenance to remove the assignment for all roles and profiles, and assign the single role SAP_BC_BMT_WFM_SERV_USER. l Add the application-specific authorizations In addition, the system user must be assigned all of the application-specific authorizations that are required to execute your active workflows. To do this, proceed as follows: ¡ Identify the active workflows in your system and the applications these are based on. Assign the existing roles for this application to the system user. These maybe roles delivered by SAP, or customer-specific roles. This should cover most or even all required authorizations. ¡ Check whether the workflows are executed correctly after assigning these roles. If this is not the case, check which authorizations are missing. You can use the system trace (transaction ST01) to determine missing authorizations. Select the trace component 'Authorization check' and use the filter to restrict the trace to the system user. The authorization trace displays failed authorization checks. Add these authorizations to an existing or new role and assign it to the system user. ¡ Check the execution of the workflows again and repeat the trace process and the role adjustment if required. Validity 1251255 - Authorizations for the system user (WF-BATCH) Language English Released On 10.12.2009 12:30:14 Release Status Released for Customer Component BC-BMT-WFM-RUN Runtime Priority Correction with medium priority Category Program error Externally Reported Yes Software Component From Rel. To Rel. And Subsequent
description
SAP WF syst user
Transcript of 1251255 - Authorizations for the System User (WF-BATCH)
SAP Security Note
Header Data
Symptom
You use a system user to execute and manage workflows. This sytem user has been defined in the RFC destination WORKFLOW_LOCAL_<client>. In most cases, this is called WF-BATCH. However, you can define a different user. The authorization profile SAP_ALL is assigned to the system user. You want to restrict the authorizations of the system user.
Other Terms
PFCG
Reason and Prerequisites
You can create the RFC destination WORKFLOW_LOCAL_<client> using transaction SWU3 (Automatic Workflow Customizing), activity 'Configure RFC Destination'. If you use the function 'Perform Automatic Workflow Customizing (F9)' to do this, the system also creates the user WF-BATCH if it does not yet exist. In this case, the system assigns all of the profiles of the user who executes transaction SWU3 to this user. The system may assign the profile SAP_ALL as a result. In addition, no corresponding PFCG role is available to restrict the authorizations of the system user.
Solution
This note provides a correction and a new PFCG role. After you implement this correction, the system ensures that the profile SAP_ALL is never assigned to the user WF-BATCH when you use the function 'Perform Automatic Workflow Customizing (F9)'. The correction is available as of SAP_BASIS 610 (see the correction instructions). The function for the activity 'Configure RFC Destination' is not available in lower releases. As a result, the profile SAP_ALL is not assigned to the user WF-BATCH when you use transaction SWU3 in these releases. In addition, the PFCG role SAP_BC_BMT_WFM_SERV_USER is delivered for SAP_BASIS 640 and higher releases. This role contains all necessary authorizations that the workflow runtime for the accesses requires to execute and manage workflows. However, it does not contain any application-specific authorizations. To use the SAP Business Workflow within an application, you usually require additional application-specific authorizations. If you want to restrict the authorization of the system user, proceed as follows:
l Set the plan version in the role SAP_BC_BMT_WFM_SERV_USER The role contains, for example, the authorization object PLOG (personnel planning). Assign your active plan version to the Plan Version field and generate the authorization profile.
l Assign the role SAP_BC_BMT_WFM_SERV_USER Use the user maintenance to remove the assignment for all roles and profiles, and assign the single role SAP_BC_BMT_WFM_SERV_USER.
l Add the application-specific authorizations In addition, the system user must be assigned all of the application-specific authorizations that are required to execute your active workflows. To do this, proceed as follows:
¡ Identify the active workflows in your system and the applications these are based on. Assign the existing roles for this application to the system user. These maybe roles delivered by SAP, or customer-specific roles. This should cover most or even all required authorizations.
¡ Check whether the workflows are executed correctly after assigning these roles. If this is not the case, check which authorizations are missing. You can use the system trace (transaction ST01) to determine missing authorizations. Select the trace component 'Authorization check' and use the filter to restrict the trace to the system user. The authorization trace displays failed authorization checks. Add these authorizations to an existing or new role and assign it to the system user.
¡ Check the execution of the workflows again and repeat the trace process and the role adjustment if required.
Validity
1251255 - Authorizations for the system user (WF-BATCH)
Language English
Released On 10.12.2009 12:30:14
Release Status Released for Customer
Component BC-BMT-WFM-RUN Runtime
Priority Correction with medium priority
Category Program error
Externally Reported Yes
Software Component From Rel. To Rel. And Subsequent
Correction Instructions
Support Packages & Patches
References
This document refers to:
SAP Notes
This document is referenced by:
SAP Notes (5)
SAP_BASIS 610 640
700 702
710 720
Correction Instructions
Software Component Valid from Valid to Number
SAP_BASIS 610 610 1171230
620 620 1171231
640 640 1171232
700 700 1171233
701 701 1171234
702 702 1171235
710 710 1171236
711 711 1171237
720 720 1171238
Support Packages
Software Component Release Support Package
SAP_BASIS 711 SAPKB71101
710 SAPKB71007
700 SAPKB70018
701 SAPKB70103
640 SAPKB64024
710 SAPKB71010
711 SAPKB71105
620 SAPKB62068
640 SAPKB64026
720 SAPKB72003
702 SAPKB70203
700 SAPKB70022
701 SAPKB70107
1177624 Recommendations for the standard CA Workflow Customising
1511672 BPE-RUN: Error in SWF_XI_CUSTOMIZING (RFC destination)
1694325 No RFC authorization for function SWE_BATCHJOB_DELETE
547419 FAQ workflow, settings and Customizing
1041016 Workflow setup in new installations for BRM
1694325 No RFC authorization for function SWE_BATCHJOB_DELETE
1041016 Workflow setup in new installations for BRM
1177624 Recommendations for the standard CA Workflow Customising
1511672 BPE-RUN: Error in SWF_XI_CUSTOMIZING (RFC destination)
547419 FAQ workflow, settings and Customizing
