10-10-2007 11:12 PM
Hi all,
It is possible to control the access to office documents that can be created/deleted/modified that is used in "Attachment List" (for instance, in a FI document viewed in transaction FB03) ?
Is is possible to control what actions can be executed by a user ? (for instance, don't give the delete access)
I've search for possible authorization objects and find two that are use in standard authorizations checks, but the second object only checks if the actual user is a Administrator (that can perform any operation) or the attach owner:
S_OC_DOC
S_OC_ROLE
Any help appreciated.
Thanks in advance!
Nuno
10-11-2007 4:22 AM
Hi,
please check if you are using S_WFAR_OBJ object ,just give take out activity 06 (delete) from user authorization profile/role.
10-11-2007 10:30 PM
Thanks for the reply BN,
I've managed to debug the code, and find that in method 'EXECUTE' for class 'CL_MSG_AL_ITEM', the authority check uses the 'S_OC_ROLE' and tries to check if the user have Administrator privileges.
###########################################
WHEN cl_gos_attachments=>gc_cmd_delete.
AUTHORITY-CHECK OBJECT 'S_OC_ROLE'
ID 'OFFADMI'
FIELD 'ADMINISTRATOR'.
IF sy-subrc = 0 OR sy-uname = gp_owner.
CALL METHOD lo_docsrv->delete_url
EXPORTING
is_lporb = gs_lporb
ip_url = lp_objkey.
rp_commit = 'X'.
.........
###########################################
.. and if you have administrator access, the user can do any activity in the attached document.. is this correct ?
Thanks!