Since SP28 a custom plugin point is available to enable some segregation of duties for workflow responsibility maintenance.
Note that the plugin is delivered OFF by default and must be activated to be effective.
The segregation of duties plugin enables you to specify subsets of workflow responsibility groupings which can be managed by specific teams. The segregation relies on the customer having a naming convention in place for their responsibility groups as it is patterns of the name that are used to define the segregation
All Journal approval groups in a company have a patter like : JOURNAL_<company code>_<level> Example : JOURNAL_US01_1
All vendor approval groups in a company have a pattern like VENDOR_<company_code> Example : VENDOR_US01
To separate the management of these approval groups you define two patterns
Journal administrators : JOURNAL_*
Vendor administrators : VENDOR_*
You can then assign appropriate security authorisation to the administrators to ensure they only manage their groups.
Important Note : The Approval Group (APP_GROUP) is the value that is checked.
Decision tree /PROMENTA/WF_RESP_MAINT should be copied and overridden to make changes
Node STEP=CONFIG –> KEY1=AUTHS_ACTIVE
Result=ON to activate, OFF to deactivate
Group ID List
This node contains the list of administrator “groups”. In the previous example this would be as shown below
Each group must then be assigned one (or more) patterns so the system can check if the user is allowed to manage a responsibility.
In the example below the group “JOURNAL” is assigned pattern JOURNAL_*
The authorisations objects below are used to assign groups and permission levels to administrator users via SAP roles
YZYWSKEY2=<Group ID> The Group Id is taken from the group id in the decision tree above
ACTVT = 02 (for maintenance access)