Authorizations For The System User (WF-BATCH) : Symptom
Authorizations For The System User (WF-BATCH) : Symptom
Authorizations For The System User (WF-BATCH) : Symptom
Symptom
You use a system user to execute and manage workflows.
This sytem user has been defined in the RFC destination WORKFLOW_LOCAL_<client>. In most cases, this is called WF-BATCH. However,
you can define a different user.
Other Terms
PFCG
In addition, no corresponding PFCG role is available to restrict the authorizations of the system user.
Solution
This note provides a correction and a new PFCG role.
After you implement this correction, the system ensures that the profile SAP_ALL is never assigned to the user WF-BATCH when you use
the function 'Perform Automatic Workflow Customizing (F9)'.
The correction is available as of SAP_BASIS 610 (see the correction instructions). The function for the activity 'Configure RFC
Destination' is not available in lower releases. As a result, the profile SAP_ALL is not assigned to the user WF-BATCH when you use
transaction SWU3 in these releases.
In addition, the PFCG role SAP_BC_BMT_WFM_SERV_USER is delivered for SAP_BASIS 640 and higher releases.
This role contains all necessary authorizations that the workflow runtime for the accesses requires to execute and manage workflows.
However, it does not contain any application-specific authorizations. To use the SAP Business Workflow within an application, you
usually require additional application-specific authorizations.
If you want to restrict the authorization of the system user, proceed as follows:
Identify the active workflows in your system and the applications these are based on. Assign the existing roles for this
application to the system user. These maybe roles delivered by SAP, or customer-specific roles.
This should cover most or even all required authorizations.
Check whether the workflows are executed correctly after assigning these roles.
If this is not the case, check which authorizations are missing. You can use the system trace (transaction ST01) to
determine missing authorizations. Select the trace component 'Authorization check' and use the filter to restrict the
trace to the system user.
The authorization trace displays failed authorization checks. Add these authorizations to an existing or new role and
assign it to the system user.
Check the execution of the workflows again and repeat the trace process and the role adjustment if required.
Manual Activities
CVSS
CVSS Score : 0
CVSS Vector :
Attack Vector (AV)
Scope (S)
SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration
or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For
more information, see the FAQ section at https://support.sap.com/securitynotes .
Attributes
Key Value
Software Components
SAP_BASIS
SAP_BASIS
SAP_BASIS
Correction Instructions
Software Component Number of Correction Instructions
SAP_BASIS 9
Support Package
2199128 Job termination under system user WF-BATCH with role SAP_BC_BMT_WFM_SERV_USER