https://community.sap.com/t5/application-development-and-automation-discussions/authorization-and-bds/m-p/10099387#M1814835 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>We're planning on using Business Document Services to store some documents. </P><P></P><P>It is important that only specific roles have access to the document and the plan was to define our own BDS classname and add the authorization object S_BDS_DS (with the specific classname parameter) to the roles requiring access.</P><P></P><P>However, we see that a number of other roles already have the authorization object S_BDS_DS with classname='*'. This means that they'll also have access to the new documents which they shouldn't have. There are quite a few roles with this access, so it will not be possible to "clean them up". </P><P></P><P></P><P>We could limit the access to the program retriving the documents through the BDS BAPI, but user could always access transaction OAOR and bypass this additional check.</P><P></P><P>Are there any options for providing proper authorization in our case?</P><P>Are there alternatives to BDS that provide better security?</P><P></P><P>Regards</P><P>Dagfinn Parnas</P><P></P><P></P><P></P><P>PS BDS BAPI is in include LBDS_BAPIF01</P></BODY></HTML> Wed, 19 Feb 2014 08:53:11 GMT Former Member 2014-02-19T08:53:11Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-and-bds/m-p/10099387#M1814835 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>We're planning on using Business Document Services to store some documents. </P><P></P><P>It is important that only specific roles have access to the document and the plan was to define our own BDS classname and add the authorization object S_BDS_DS (with the specific classname parameter) to the roles requiring access.</P><P></P><P>However, we see that a number of other roles already have the authorization object S_BDS_DS with classname='*'. This means that they'll also have access to the new documents which they shouldn't have. There are quite a few roles with this access, so it will not be possible to "clean them up". </P><P></P><P></P><P>We could limit the access to the program retriving the documents through the BDS BAPI, but user could always access transaction OAOR and bypass this additional check.</P><P></P><P>Are there any options for providing proper authorization in our case?</P><P>Are there alternatives to BDS that provide better security?</P><P></P><P>Regards</P><P>Dagfinn Parnas</P><P></P><P></P><P></P><P>PS BDS BAPI is in include LBDS_BAPIF01</P></BODY></HTML> Wed, 19 Feb 2014 08:53:11 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-and-bds/m-p/10099387#M1814835 Former Member 2014-02-19T08:53:11Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-and-bds/m-p/10099388#M1814836 <HTML><HEAD></HEAD><BODY><P>I have used S_BDS_DS in the past so cleaning up the authorizations to not have * as CLASSNAME would be my first suggestion. Assuming the documents have a class set, you could try to use S_BDS_D since it seems to be used less frequently and especially not with * as LOIO_CLASS. I'm pinging the <A __default_attr="2138" __jive_macro_name="community" class="jive_macro_community jive_macro" data-orig-content="SAP Document Management" href="https://community.sap.com/"></A> space to involve DMS experts.</P></BODY></HTML> Wed, 19 Feb 2014 18:46:11 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-and-bds/m-p/10099388#M1814836 Former Member 2014-02-19T18:46:11Z