SAP Security Note

1251255 - Authorizations for the system user (WF-BATCH)

Component: BC-BMT-WFM-RUN (Runtime), Version: 5, Released On: 10.12.2009

Symptom
You use a system user to execute and manage workflows.
This sytem user has been defined in the RFC destination WORKFLOW_LOCAL_<client>. In most cases, this is called WF-BATCH. However,
you can define a different user.

The authorization profile SAP_ALL is assigned to the system user.

You want to restrict the authorizations of the system user.

Other Terms
PFCG

Reason and Prerequisites

You can create the RFC destination WORKFLOW_LOCAL_<client> using transaction SWU3 (Automatic Workflow Customizing), activity
'Configure RFC Destination'. If you use the function 'Perform Automatic Workflow Customizing (F9)' to do this, the system also
creates the user WF-BATCH if it does not yet exist. In this case, the system assigns all of the profiles of the user who executes
transaction SWU3 to this user. The system may assign the profile SAP_ALL as a result.

In addition, no corresponding PFCG role is available to restrict the authorizations of the system user.

Solution
This note provides a correction and a new PFCG role.

After you implement this correction, the system ensures that the profile SAP_ALL is never assigned to the user WF-BATCH when you use
the function 'Perform Automatic Workflow Customizing (F9)'.

The correction is available as of SAP_BASIS 610 (see the correction instructions). The function for the activity 'Configure RFC
Destination' is not available in lower releases. As a result, the profile SAP_ALL is not assigned to the user WF-BATCH when you use
transaction SWU3 in these releases.

In addition, the PFCG role SAP_BC_BMT_WFM_SERV_USER is delivered for SAP_BASIS 640 and higher releases.
This role contains all necessary authorizations that the workflow runtime for the accesses requires to execute and manage workflows.
However, it does not contain any application-specific authorizations. To use the SAP Business Workflow within an application, you
usually require additional application-specific authorizations.

If you want to restrict the authorization of the system user, proceed as follows:

Set the plan version in the role SAP_BC_BMT_WFM_SERV_USER

The role contains, for example, the authorization object PLOG (personnel planning). Assign your active plan version to the Plan
Version field and generate the authorization profile.

Assign the role SAP_BC_BMT_WFM_SERV_USER

Use the user maintenance to remove the assignment for all roles and profiles, and assign the single role
SAP_BC_BMT_WFM_SERV_USER.

Add the application-specific authorizations

In addition, the system user must be assigned all of the application-specific authorizations that are required to execute your
active workflows.

To do this, proceed as follows:

Identify the active workflows in your system and the applications these are based on. Assign the existing roles for this
application to the system user. These maybe roles delivered by SAP, or customer-specific roles.
This should cover most or even all required authorizations.

Check whether the workflows are executed correctly after assigning these roles.
If this is not the case, check which authorizations are missing. You can use the system trace (transaction ST01) to
determine missing authorizations. Select the trace component 'Authorization check' and use the filter to restrict the
trace to the system user.
The authorization trace displays failed authorization checks. Add these authorizations to an existing or new role and
assign it to the system user.

Check the execution of the workflows again and repeat the trace process and the role adjustment if required.

Manual Activities

CVSS
CVSS Score : 0

CVSS Vector :
Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration
or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For
more information, see the FAQ section at https://support.sap.com/securitynotes .

Attributes
Key Value

Externally Reported Yes

Software Components

Software Component And subsequent

SAP_BASIS

SAP_BASIS

SAP_BASIS

Correction Instructions
Software Component Number of Correction Instructions

SAP_BASIS 9

Support Package

Software Component Version Support Package

SAP_BASIS 620 SAPKB62068

SAP_BASIS 640 SAPKB64026

SAP_BASIS 640 SAPKB64024

SAP_BASIS 700 SAPKB70022

SAP_BASIS 700 SAPKB70018

SAP_BASIS 701 SAPKB70107

SAP_BASIS 701 SAPKB70103

SAP_BASIS 702 SAPKB70203

SAP_BASIS 710 SAPKB71007

SAP_BASIS 710 SAPKB71010

SAP_BASIS 711 SAPKB71101

SAP_BASIS 711 SAPKB71105

SAP_BASIS 720 SAPKB72003

This document refers to

SAP Note/KBA Title

547419 FAQ workflow, settings and Customizing

1694325 No RFC authorization for function SWE_BATCHJOB_DELETE

1511672 BPE-RUN: Error in SWF_XI_CUSTOMIZING (RFC destination)

1177624 Recommendations for the standard CA Workflow Customising

1041016 Workflow setup in new installations for BCM

 This document is referenced by

SAP Note/KBA Title

1574002 WF-BATCH and SAP_WFRT Authorizations

3350293 Missing default authorization to forward workitems in background processing

2199128 Job termination under system user WF-BATCH with role SAP_BC_BMT_WFM_SERV_USER

2148160 Work item texts sporadically remain empty

1177624 Recommendations for the standard CA Workflow Customising

1041016 Workflow setup in new installations for BCM

1694325 No RFC authorization for function SWE_BATCHJOB_DELETE

547419 FAQ workflow, settings and Customizing

1511672 BPE-RUN: Error in SWF_XI_CUSTOMIZING (RFC destination)