Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Structural Auths, workflow and substitution

former_member110461
Active Contributor

‎07-22-2008 3:19 PM

0 Kudos

Hi,

We have EP7 and ECC6. Users request leave, workflow goes to their manager and their manager approves / rejects it in the portal UWL. When they click on it in the UWL it calls a webdynpro (list of which are limited using S_SERVICE) which RFC's to ECC6.

Now the strange thing is that in the UWL you can define a substitute. They receive all of the workflows which are in your inbox. We are finding that when this is set up, the substitute can approve items, even though with structural authorisations they shouldn't be able to.

We have tested the substitute accessing pa30 for the relevant personnel record and the structural authorisations stop them accessing the personnel record.

So any ideas why it allows the substitute to approve the leave / expense requests?

Thanks

Paul

3 REPLIES 3

Former Member

‎07-22-2008 4:34 PM

0 Kudos

Hi Paul,

By the sound of it, the check is either not coded or the actual approval update is running in the context of the workflow engine, and that engine is authorized to process the approval if requested to do so.

Either way, a solution might be to look in the org structure when a person substitutes: That way, only authorized folks can be selected as a substitute?

Another option I have seen to deal with similar stuff, is to send a notification email to the real line manager in the org structure at the point where they (or a direct report) are cut out of the loop, as an "after-the-fact" way of controlling the substitute.

Cheers,

Julius

former_member110461
Active Contributor
In response to Former Member

‎07-23-2008 1:09 PM

0 Kudos

Thanks Julius,

The looking in the org. structure to validate the substitute is something which was being looked at longer term in any case, so that may be brought forward.

The fact that it could be processed within the workflow is slightly worrying. I had thought of it, but sort of hoped it wasn't doing that.

The e-mail is a good idea but probably not the one for this client - apparently the managers love delegating stuff!

Paul

Former Member
In response to Former Member

‎07-23-2008 1:50 PM

0 Kudos

> 

> The e-mail is a good idea but probably not the one for this client - apparently the managers love delegating stuff!

That sounds familiar, but they normally don't mind an email to inform about what's going on (or exceptions).

Take a look in the record (the approved one) under which context it is. If the end user ID is the "approver", it might still be a WAPI running in the workflow context.

Cheers,

Julius