Hello All

Purpose: Prevent users to access confidential attachments in XK03 which contains bank account details - SSN etc., I tried to check through all existing forums, solutions etc. but please pardon if there is an obvious solution that I might have missed.

I tried multiple approaches:

(a) Option A is to secure at source - when vendor admin is uploading the attachment containing SSN details, please make sure to mask/block/encrypt whatever it takes to not to make SSN public for general consumption.

(2) Option B - OB23 -> this seems to help to suppress data at field level while we are focusing specifically on attachments

(3) Object F_LFA1_GRP -> vendor account group - can we create an account group for confidential vendors ->  potentially not an option as I understand all account groups can have confidential attachments, again its not about restricting access to account groups information just the attachments across all account groups.

(4) F_LFA1_BUK - on basis of company code - seems not relevant as behavior of authorization access to GOS should remain consistent across all company codes

(5) S_GUI -> seems plausible - if an user doesn't have authorization to download/upload/print - they can't actually view the attachments since they can't either upload/download/print of display from attachment list option.

But this object is too generic to be used for a particular t-code and one solution with least amount of customization is to link XK02/XK03 GOS functionality with an custom S_GUI (though I know sound of "custom s_gui" isnt pleasing at all) which doesn't allow document upload/download/print for users who should only have XK03 access while provides access to vendor admins who need access to upload attachments via XK02

(6) S_OC_ROLE - this object allows adding/deleting attachments for an user in GOS but you can only upload if you have S_GUI and can really view if you have S_GUI (seems I am own remote desktop - would that be an reason that S_GUI is coming into play heavily - I dont think so - thinking out loud)

(7) S_GOS_ATT - this is the first authorization object to be checked for authorizations to change/delete attachments from attachment list - and if an user doesnt have this object then next check is placed on S_OC_ROLE as per my investigation, (SAP NOTES: 1293080 and 1539457). This object only has 02/06 at activity level.

so based on investigation, most suitable solution at this stage based on initial research involves creating an custom s_gui, only giving access to vendor admins to this object, modify the GOS function module for XK02/XK03 to place authority check on this object, update su24 (all the usual std. steps etc. etc.), and not allow XK03 only user (i.e users who are only meant to display and are not vendor admins) to not to have S_GOS_ATT for object LFA1 (Vendor data) and also not to allow them access to S_OC_ROLE so that they dont delete/ any uplaoded attachments even by mistake.

Still better and most natural solution would have been to add an activity 03 in object S_GOS_ATT and allow display of data only through this object .. thinking if I should raise a SAP OSS incident to allow for this functionality ?

Please share your experiences/approach and thanks for your time!