Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Authorization and BDS

Former Member

‎2014 Feb 19 8:53 AM

0 Likes
1,864

Hi,

We're planning on using Business Document Services to store some documents.

It is important that only specific roles have access to the document and the plan was to define our own BDS classname and add the authorization object S_BDS_DS (with the specific classname parameter) to the roles requiring access.

However, we see that a number of other roles already have the authorization object S_BDS_DS with classname='*'. This means that they'll also have access to the new documents which they shouldn't have. There are quite a few roles with this access, so it will not be possible to "clean them up".

We could limit the access to the program retriving the documents through the BDS BAPI, but user could always access transaction OAOR and bypass this additional check.

Are there any options for providing proper authorization in our case?

Are there alternatives to BDS that provide better security?

Regards

Dagfinn Parnas

PS BDS BAPI is in include LBDS_BAPIF01

1 REPLY 1
Read only

Former Member

‎2014 Feb 19 6:46 PM

0 Likes
1,235

I have used S_BDS_DS in the past so cleaning up the authorizations to not have * as CLASSNAME would be my first suggestion. Assuming the documents have a class set, you could try to use S_BDS_D since it seems to be used less frequently and especially not with * as LOIO_CLASS. I'm pinging the space to involve DMS experts.