Solved: Restrict access to view email content in SOST for ...

Former Member · ‎06-18-2012

Hi,

We've a program to send user id and password in an email for the newly created users. By passing i_sensitivity as P or E in the below line of code we could restrict access to view the email content in SOST transaction. This works fine for all users but the user who sent the email (i.e. the user id with which this program is ran). Our requirement is to restrict everyone including the user who created the user to view the email content in SOST. We thought of removing the log from SOST programatically but that is not an option as we want to retain it for few days. Is there any other option to restrict access to view email content in SOST for all users (even for those with full access like basis or security team)?

I searched in SDN but didn't find anything related to restricting to all users. There were suggestions to delete SOST log, or restrict access to SOST etc. but I'm wondering if there is a way to achieve this programatically or using some configuration.

cl_document_bcs=>create_document(

i_type = 'HTM'

i_hex = lt_hex

i_sensitivity = 'P'

i_subject = lv_subject ).

Thanks

Ram

former_member585060 · ‎06-18-2012

Hi,

What you can try is

1) Create a User 'EMAIL' who does not have SOST transaction authorization.

2) Now set that created user as the Sender for email generation.

DATA: sender TYPE REF TO cl_sapuser_bcs.

sender = cl_sapuser_bcs=>create( 'JOB_SCHED' ).

CALL METHOD send_request->set_sender

EXPORTING

i_sender = sender.

3) Pass I_SENSITIVITY = 'P'.

4) Now try to open the SOST transaction and the current mail.

It will show an error message that the "Document is confidential", as the logic tries to check for the Sender name and the User name who is trying to display in SOST transaction. So this way no will be able to see the message.

And the User 'Email' will not have SOST authorization, so he cannot even open SOST.

Sample code from BCS_EXAMPLE_1

Thanks & Regards

Bala Krishna

former_member585060 · ‎06-18-2012

Hi,

What you can try is

1) Create a User 'EMAIL' who does not have SOST transaction authorization.

2) Now set that created user as the Sender for email generation.

DATA: sender TYPE REF TO cl_sapuser_bcs.

sender = cl_sapuser_bcs=>create( 'JOB_SCHED' ).

CALL METHOD send_request->set_sender

EXPORTING

i_sender = sender.

3) Pass I_SENSITIVITY = 'P'.

4) Now try to open the SOST transaction and the current mail.

It will show an error message that the "Document is confidential", as the logic tries to check for the Sender name and the User name who is trying to display in SOST transaction. So this way no will be able to see the message.

And the User 'Email' will not have SOST authorization, so he cannot even open SOST.

Sample code from BCS_EXAMPLE_1

Thanks & Regards

Bala Krishna

Former Member · ‎06-18-2012

Hi Bala Krishna,

This is indeed a good solution but as per our requirement we'll be using differnet sender's email ids depending on user type. We've about 10+ types of users and hence we've 10 different sender email addresses and expect to increase in future. With your solution we've to create multiple user ids. We are creating the sender object by passing email id directly (as shown below) and this email id is not associated to any particular user id. This works fine but the user who executes this program has the ability to view the email content.

DATA: sender TYPE REF TO cl_cam_address_bcs.

sender = cl_cam_address_bcs=>create_internet_address( 'sender1@test.com' ).

CALL METHOD send_request->set_sender
EXPORTING
i_sender = sender.

If no other solution is possible, we'll try to go with the dummy user approach but we've to see if it is OK to create these many dummy user ids in my company.

Thanks

Ram

Jelena · ‎06-18-2012

There is an old thread regarding the same issue (conclusion is pretty much the same though):

http://scn.sap.com/thread/1102637

Why is it required to have 10 different senders? Such emails are usually sent from some kind of "generic" user ID whose account doesn't accept replies anyway. So I don't understand why the email can't be sent from just one address.

Also if this is such a high security environment, perhaps the whole process needs to be handled differently. I'm not an expert on this, but somehow sending emails from SAP doesn't seem super-secure anyway. Just a thought...

former_member213851 · ‎06-18-2012

Hi Mohan,

Inside Include RSSOSOSTF01 , method handle_before_user_command is invoked when you click dispaly document. Here make use of Implicit Enhancements: Edit->Enhancement operation->Show Implicit Enhancements

In that store the Userid of the user inside temporary variable say gv_temp.

Here you need to put code to validate if User-id of sender is same as that of gv_temp.

If above condition satisfies then only display document to User else Display Error message " You are not authorized to view contents of this mail " .

Best Regards,

Sachin

Former Member · ‎06-18-2012

This is simply amazing....you want no one in the organization to view the mail that was sent, but the information is going by email, which must be the most insecure way to transfer information available in the world today. What is so incredibly sensitive that it has to be hidden from the user who created the mail, but then can be read by any half-smart internet hacker anywhere?

Restrict access to view email content in SOST for all users including the sender