<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hello Sue,</div><div><br></div><div>the philosophy for ArchiveLink is the general rule: If you can access the Business Object, you can also access the linked documents. However, there's still an additional auth.check performed regarding the Archivelink's document type.</div><div><br></div><div>This document type is only available when you access the document through the business object, as the doc.type represents the bridge between the image and the bus.document.</div><div><br></div><div>When you access an ArchiveLink image from a different entry point, such as the workflow protocol, this document type isn't applicable and therefor cannot be checkes against authorizations.</div><div><br></div><div>There are several possible ways to achieve a better restriction for your requirement.</div><div>- One is, as Kjetil has proposed here, to add an additional check on a subtype. This would also mean that you need to find a very general algorith,. as the image object type is used system wide and mayhaps in very different scenarios. To make a reverse search for the doctype you could walk through the link tables TOA01,02,03,HR but be prepared to get several result entries.</div><div>- Restrict the access to the workflow protocol, e.g. on the level of the classification of the pattern.</div><div>- Restrict access to a generic search for workflows. No business user should need to use SWI1 or SWI6 transaction</div><div>- Link the ArchiveLink image and the workflow more specifically to an infotype, instead of the whole applicant. Then there is a more detailed authorization check performd, before the user comes to access the protocol.</div><div><br></div><div>With the very best wishes</div><div> Florin</div><div><br>Am 29.04.2014 um 17:37 schrieb Sue Doughty <<a href="mailto:Sue.Doughty@odfl.com">Sue.Doughty@odfl.com</a>>:<br><br></div><blockquote type="cite"><div><!-- Template generated by Exclaimer Mail Disclaimers on {Current Date} -->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Arial","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1"><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">We are on SAP Basis 731.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">A workflow event gets triggered for an Employee when an image is scanned or uploaded to their record in SAP….. (BO PREL). Each document uploaded or scanned is linked to a document type in SAP depending on what kind of document it is. Security is set for each document type as to who can view the image. The workflow instantiates the BO Image and then has a Decision task for the user to display the image.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">We have discovered that when a workflow log is displayed via GOS and the line is clicked that displays the image (BO IMAGE, Method Display), the link to the image is under the Objects and attachments. <o:p></o:p></span></p><p class="MsoNormal"><image001.png><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">When the link there is clicked the image is displayed…..bypassing the document type security.<o:p></o:p></span></p><p class="MsoNormal"><image002.png><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">If I go into PA20 and display the image via the Extras</span><span style="font-size:10.0pt;font-family:Wingdings;color:#1F497D">à</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Display all facsimiles, I get an authorization error.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><image003.png><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Is there a way to remove the link from the Objects and Attachments so that the image cannot be viewed from there? Or is there a way for the link to respect the document type security?<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Any help would be greatly appreciated!<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p></div></div><br>
<table style="BORDER-COLLAPSE: collapse" class="363c970e-2b6a-49cd-a4eb-08ef9e6293f7Table" border="0" cellspacing="0" cellpadding="0" cols="2">
<tbody>
<tr>
<td><span style="FONT-FAMILY: Arial; COLOR: #006133; FONT-SIZE: 11pt; FONT-WEIGHT: bold">Sue Doughty</span><br><span style="FONT-FAMILY: Arial; COLOR: #687b69; FONT-SIZE: 10pt; FONT-WEIGHT: normal"><span style="font-family:Arial; ">SAP Workflow Analyst</span></span></td>
<td height="55" width="55" align="right"><a href="http://www.odfl.com"><img id="IMG1" border="0" src="http://www.odfl.com/signature/signature_od_37x37.png" width="37" height="37"></a></td></tr></tbody></table><span style="FONT-FAMILY: Arial; COLOR: #d4772d; FONT-SIZE: 9pt; FONT-WEIGHT: normal"><span style="font-family:Arial; font-size:9pt; "><span style="font-family:Arial; font-size:9pt; ">Office: </span>(336) 822-5189</span><br>Email: <span style="font-family:Arial; font-size:9pt; "><span style="font-family:Arial; font-size:9pt; "><a href="mailto:Sue.Doughty@odfl.com" title="Click to send email to Sue Doughty" target=""><span style="font-family:Arial; font-size:9pt; ">Sue.Doughty@odfl.com</span></a></span></span></span><br>
<table style="BORDER-COLLAPSE: collapse" class="363c970e-2b6a-49cd-a4eb-08ef9e6293f7Table" border="0" cellspacing="0" cellpadding="0" cols="1">
<tbody>
<tr>
<td height="30"><span style="FONT-FAMILY: Arial; COLOR: #687b69; FONT-SIZE: 10pt; FONT-WEIGHT: normal">Helping
the World Keep
Promises.<sup>®</sup></span></td></tr></tbody></table><span style="FONT-FAMILY: Arial; COLOR: #006133; FONT-SIZE: 9pt">Old Dominion Freight
Line, Inc.<br>500 Old Dominion Way<br>Thomasville, NC 27360<br><a style="FONT-FAMILY: Arial; FONT-SIZE: 9pt" href="http://www.odfl.com">www.odfl.com</a></span><br>
<table style="BORDER-COLLAPSE: collapse" class="363c970e-2b6a-49cd-a4eb-08ef9e6293f7Table" border="0" cellspacing="0" cellpadding="0" cols="4">
<tbody>
<tr>
<td height="50" width="30"><span style="FONT-FAMILY: Arial; FONT-SIZE: 9pt"><a href="http://www.facebook.com/OldDominionFreightLine"><img id="IMG1" border="0" align="middle" src="http://www.odfl.com/signature/signature_facebook_25x25.png" width="25" height="25"></a></span></td>
<td height="50" width="29"><a href="http://twitter.com/ODFL_Inc"><img id="IMG1" border="0" align="middle" src="http://www.odfl.com/signature/signature_twitter_25x25.png" width="25" height="25"></a></td>
<td height="50" width="31"><a href="http://www.youtube.com/ODFLInc"><img id="IMG1" border="0" align="middle" src="http://www.odfl.com/signature/signature_youtube_25x25.png" width="27" height="27"></a></td>
<td height="50" width="30"><a href="http://www.linkedin.com/company/old-dominion-freight-line"><img id="IMG1" border="0" align="middle" src="http://www.odfl.com/signature/signature_linkedin_25x28.png" width="28" height="25"></a></td></tr></tbody></table><span style="FONT-FAMILY: Arial; FONT-SIZE: 9pt" class="363c970e-2b6a-49cd-a4eb-08ef9e6293f7">CONFIDENTIALITY
NOTICE: The information contained in this message may be confidential,
privileged, proprietary, or otherwise legally exempt from disclosure. If the
reader of this message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient, you are
hereby notified that you are not authorized to read, print, retain, copy or
disseminate this message, any part of it, or any attachments. If you have
received this message in error, please delete this message and any attachments
from your system without reading the content and notify the sender immediately
of the inadvertent transmission. Thank you for your
cooperation.</span><br><br><br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>SAP-WUG mailing list</span><br><span><a href="mailto:SAP-WUG@mit.edu">SAP-WUG@mit.edu</a></span><br><span><a href="http://mailman.mit.edu/mailman/listinfo/sap-wug">http://mailman.mit.edu/mailman/listinfo/sap-wug</a></span><br></div></blockquote></body></html>