on 02-03-2015 3:28 AM
Dear all,
after configuring the FF Access Request but also the FF Log Review Workflows and double checking all Post Implementation guides same as discussions at the SCN, I still have an issue.
While running through the WF I can submit / approve for each of the Workflows the ticket nothing happens afterwards. The Audit Log each time says e.g. "access is approved" or log is "approved by FF_CONTROL" but the workflow will remain the MSMP Instance Runtime Monitor on "decision pending" and is not coming to an end.
Does anyone has some good ideas?
Thanks,
Christian
So, quite interesting. When assigning SAP_ALL to the FF-Owner or FF-Controller for processing the approval it works. So it is an authorization issue and the SU53 is evidencing that. Based on that issue log, there are a large amount of authorizations missing.
So my questions for you would now be: what roles are you assigned our Owner/Controller to run smoothly through the workflows.
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Christian
looks like you found the root cause. There are SAP standard roles that you can use as the basis
Generally, I run a trace to identify the authorisations (transaction STAUTHTRACE is great) and then sift through them to build the role. I pretty much take this approach for any security build (as well as using SU24 data as guidelines). SU24 data didn't help me much as none of the webdynpros or services had proposed values
Controller and Owner access will vary across everyone's system as it depends on whether workflow, etc is being used.
Regards
Colleen
Hi Christian
Try removing S_CTS_ADMI and S_CTS_SADM from the role. This are most likely misleading authorisation checks (sometimes authorisation failure is a good thing and won't negatively impact the users). SU53 and security trace files provide some of the picture but shouldn't be taken as is. If they are needed, I would raise an incident with SAP.
S_RFC should be restricted to explicitly values. Depending on the GRAC_REQ values - you may not need all activities (sometime it loops through each value until you have at least one of the activities). These two objects do make sense as being required.
Regards
Colleen
Hi Christian
not sure if these are "good ideas" so I'll let you be the judge
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colleen,
thanks for your prompt answer. Here my thoughts:
The funny thing is, when rejected an FF access request, this is running through properly.
Any ideas?
Thanks again,
Christian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.