WF-BATCH or system user is responsible to execute and manage all background jobs in workflows. This sytem user has been defined in the RFC destination WORKFLOW_LOCAL_<client>. System user has assigned SAP_ALL authorization.
You can create the RFC destination WORKFLOW_LOCAL_<client> using transaction SWU3 (Automatic Workflow Customizing), activity 'Configure RFC Destination'. If you use the function 'Perform Automatic Workflow Customizing (F9)' to do this, the system also creates the user WF-BATCH if it does not yet exist. In this case, the system assigns all of the profiles of the user who executes transaction SWU3 to this user. The system may assign the profile SAP_ALL as a result.
The system ensures that the profile SAP_ALL is never assigned to the user WF-BATCH when you use the function 'Perform Automatic Workflow Customizing (F9)'.
If you want to restrict the authorization of the system user, proceed as follows:
- Set the plan version in the role SAP_BC_BMT_WFM_SERV_USER
The role contains, for example, the authorization object PLOG (personnel planning). Assign your active plan version to the Plan Version field and generate the authorization profile.
- Assign the role SAP_BC_BMT_WFM_SERV_USER
Use the user maintenance to remove the assignment for all roles and profiles, and assign the single role SAP_BC_BMT_WFM_SERV_USER.
- Add the application-specific authorizations
In addition, the system user must be assigned all of the application-specific authorizations that are required to execute your active workflows.
To do this, proceed as follows:
- Identify the active workflows in your system and the applications these are based on. Assign the existing roles for this application to the system user. These maybe roles delivered by SAP, or customer-specific roles.
This should cover most or even all required authorizations.
- Check whether the workflows are executed correctly after assigning these roles.
If this is not the case, check which authorizations are missing. You can use the system trace (transaction ST01) to determine missing authorizations. Select the trace component 'Authorization check' and use the filter to restrict the trace to the system user.
The authorization trace displays failed authorization checks. Add these authorizations to an existing or new role and assign it to the system user.
- Check the execution of the workflows again and repeat the trace process and the role adjustment if required.