SAP Knowledge Base Article

1574002 - WF-BATCH and SAP_WFRT Authorizations

Component: BC-BMT-WFM-RUN (Runtime), Version: 9, Released On: 09.06.2023

Symptom
What are the necessary roles/authorizations workflow system user WF-BATCH and SAP_WFRT?

Environment
SAP Business Workflow
SAP NetWeaver
SAP Web Application Server for SAP S/4 HANA
ABAP PLATFORM - Application Server ABAP

Reproducing the Issue

1. When the workflow background user WF-BATCH is checked in SU01 it has the roles SAP_ALL & SAP_NEW assigned.
2. During an audit why this user has these powerful roles may be asked.

Cause
Security team has highlighted user WF-BATCH and needs justification as to why it has SAP_ALL or SAP_NEW or both.
Due to Security compliance the SAP_ALL & SAP_NEW roles are being removed from user WF-BATCH.

Resolution
1. SWU3 - activity 'Configure RFC Destination' - function 'Perform Automatic Workflow Customizing (F9)' creates user WF-BATCH if it does not exist The system will assign all
of the profiles of the user who executes transaction SWU3, therefore SAP_ALL may be assigned.
from release SAP_BASIS 610 SAP_ALL is no longer automatically assigned when performing the above activity. See note 1251255

2. Role SAP_BC_BMT_WFM_SERV_USER as of SAP_BASIS 640, contains all necessary authorizations that the workflow runtime needs to execute and manage workflows.
See note 1251255.
However, it does not contain any application-specific authorizations. To use the SAP Business Workflow within an application, additional application-specific authorizations
are required.
This role is not available before Basis 640.

User WF-BATCH needs to be perceived as a part of the connectivity infrastructure. Technically it is a user, but it cannot perform any real action in dialog as it is a
system user and therefore, no dialog logon is possible.
Application specific authorizations: WF-BATCH will need to add create, change and display access for the transactions used in the workflows.
For example: If only using Purchase Requisition workflow then PR transactions like ME51N, 52N and 53N needs to be given.
Extensive testing is required to ensure that all authorizations are assigned. It will vary from company to company and system to system.
Additional application authorizations will need to be added every time a new workflow is implemented
Applications / background tasks will check authorizations not just for transactions, but also for:
specific objects and object type
object subtypes

3. As of S/4HANA On-Premise 1709, the workflow system user is changed to SAP_WFRT and role assigned
is SAP_BC_BMT_WFM_SERV_USER_PLV01. Note 2568271 has more details. Same as SAP_BC_BMT_WFM_SERV_USER, the
role SAP_BC_BMT_WFM_SERV_USER_PLV01 does not have application specific authorizations.

See Also
2366252 - Transaction SWU3 explained
2568271 - Change of workflow system user and workflow system jobs with S/4HANA On-Premise 1709

Keywords
WF_GDPR, SWF_WORKFLOW, WFMSTD, WF-BATCH, authorizations, SAP_BC_BMT_WFM_SERV_USER, system user, WORKFLOW_LOCAL_<client>, SAP_ALL, SAP_NEW,
PFCG, Automatic Workflow Customizing, SWU3, SOX, security, workflow, profile, RFC

Products

Products

SAP NetWeaver all versions

This document refers to

SAP Note/KBA Title

2568271 Change of workflow system user and workflow system jobs with S/4HANA On-Premise 1709

1251255 Authorizations for the system user (WF-BATCH)

This document is referenced by

SAP Note/KBA Title

2589683 Change of agent during background work item processing

3323900 RFC destination "WORKFLOW_LOCAL_XXX" does not exist

2324075 Inbound Idocs getting stuck in status 62

2366252 Transaction SWU3 explained

2742229 Definition of job SWEQSRV is incomplete. Operation is not possible

1850076 ERMS inbound E-Mails: Error when processing node '0000000004' (ParForEach index 000000) - no agents could be determined

2297029 Job SWWERRE terminates

2238386 Strategy 'RR_MANAGER' did not determine any approvers

2214571 Collection Note: Workflow troubleshooting guides, FAQs and important notes

2146063 Problems related to triggering escalation E-Mails when using the ERMS inbound E-Mail workflow

2351803 Trouble Shooting for Workflow Issues in BAM Apps