Workflow attachment bypasses document type security

Fri May 2 17:58:28 EDT 2014

Hello Sue,

the philosophy for ArchiveLink is the general rule: If you can access the Business Object, you can also access the linked documents. However, there's still an additional auth.check performed regarding the Archivelink's document type.

This document type is only available when you access the document through the business object, as the doc.type represents the bridge between the image and the bus.document.

When you access an ArchiveLink image from a different entry point, such as the workflow protocol, this document type isn't applicable and therefor cannot be checkes against authorizations.

There are several possible ways to achieve a better restriction for your requirement.
- One is, as Kjetil has proposed here, to add an additional check on a subtype. This would also mean that you need to find a very general algorith,. as the image object type is used system wide and mayhaps in very different scenarios. To make a reverse search for the doctype you could walk through the link tables TOA01,02,03,HR but be prepared to get several result entries.
- Restrict the access to the workflow protocol, e.g. on the level of the classification of the pattern.
- Restrict access to a generic search for workflows. No business user should need to use SWI1 or SWI6 transaction
- Link the ArchiveLink image and the workflow more specifically to an infotype, instead of the whole applicant. Then there is a more detailed authorization check performd, before the user comes to access the protocol.

With the very best wishes
   Florin

> Am 29.04.2014 um 17:37 schrieb Sue Doughty <Sue.Doughty at odfl.com>:
> 
> We are on SAP Basis 731.
>  
> A workflow event gets triggered for an Employee when an image is scanned or uploaded to their record in SAP….. (BO PREL).  Each document uploaded or scanned is linked to a document type in SAP depending on what kind of document it is.  Security is set for each document type as to who can view the image.  The workflow instantiates the BO Image and then has a Decision task for the user to display the image.
>  
> We have discovered that when a workflow log is displayed via GOS and the line is clicked that displays the image (BO IMAGE, Method Display), the link to the image is under the Objects and attachments. 
> <image001.png>
>  
> When the link there is clicked the image is displayed…..bypassing the document type security.
> <image002.png>
>  
> If I go into PA20 and display the image via the ExtrasàDisplay all facsimiles, I get an authorization error.
>  
> <image003.png>
>  
> Is there a way to remove the link from the Objects and Attachments so that the image cannot be viewed from there?  Or is there a way for the link to respect the document type security?
>  
> Any help would be greatly appreciated!
>  
> 
> Sue Doughty
> SAP Workflow Analyst	
> Office: (336) 822-5189
> Email: Sue.Doughty at odfl.com
> Helping the World Keep Promises.®
> Old Dominion Freight Line, Inc.
> 500 Old Dominion Way
> Thomasville, NC 27360
> www.odfl.com
> 			
> CONFIDENTIALITY NOTICE: The information contained in this message may be confidential, privileged, proprietary, or otherwise legally exempt from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this message, any part of it, or any attachments. If you have received this message in error, please delete this message and any attachments from your system without reading the content and notify the sender immediately of the inadvertent transmission. Thank you for your cooperation.
> 
> 
> _______________________________________________
> SAP-WUG mailing list
> SAP-WUG at mit.edu
> http://mailman.mit.edu/mailman/listinfo/sap-wug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/sap-wug/attachments/20140502/1de3cb0a/attachment.htm