Solution : https://service.sap.com/sap/support/notes/1251255 (SAP Service marketplace login required)
Summary :
This SAP Note addresses the issue with the system user WF-BATCH, which by default gets assigned the authorization profile SAP_ALL, potentially granting excessive privileges. The note introduces a correction that prevents SAP_ALL from being assigned to WF-BATCH in the process of 'Configure RFC Destination' under SWU3 transaction in SAP_BASIS 610 and later. Additionally, a new PFCG role, SAP_BC_BMT_WFM_SERV_USER, is provided for SAP_BASIS 640 upwards, encapsulating essential but limited authorizations for workflow management without application-specific privileges. Instructions are given for setting up this role and enhancing it with necessary application permissions based on active workflows.
Key words :
authorization trace displays failed authorization checks, function 'perform automatic workflow customizing, require additional application-specific authorizations, rfc destination workflow_local_<client>, activity 'configure rfc destination', trace component 'authorization check', application-specific authorizationsin addition, automatic workflow customizing, sap business workflow, authorization object plog
Related Notes :
| 1511672 | BPE-RUN: Error in SWF_XI_CUSTOMIZING (RFC destination) |