cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Confidential documents in KM: How to secure individual employee documents

Go to solution
Former Member

on ‎09-26-2007 10:21 PM

0 Kudos

Hello KM experts!

We store W2 documents that we get from a third party as pdf files in a folder in KM. There are a couple of thousand documents every year that we need to store in KM and make them available for employees. The file names are encrypted and consist of a bunch of numbers - you would not be able to tie a document to an employee by looking at the file name.

The third party company sends us an index file that ties the document name to an employee number.

We upload this index file to a custom table in SAP backend.

We have developed a custom web dynpro application that looks up the employee number of the logged in user at runtime and then gets the associated documents from the custom table and displays the W2 statements for that user.

This is all working according to user requirements.

Here is our issue:

The pdf files are all stored in one folder in KM that has read access for group everyone!

We have disabled the standard navigation iView to ensure nobody can browse the KM folders but the documents itself are still not secure enough.

One could still view somebody elses W2 statement by constructing the correct URL path - it would be tough getting a hit with the encrypted file names but still possible.

Any idea on how we could secure the documents better?

Uploading them to each users personal folder would be an idea but how to go about that? We would need for each year a folder in the personal folder of the user as users can filter W2 statements by year in the custom web dynpro application. In addition we would need to have a program that creates those year folders automatically and based on the index file puts the files into the correct personal folders.

A quite crazy idea that I have is to create a service specific user and assign read access of the W2 folder and all pdf files to only that user. In the web dynpro application I would then access the pdf files only with that service user but I have no idea if that is even feasible.

Sorry for the long description of the problem but any help is appreciated.

I will surely reward points for useful and problem related answers - just dumping some help/SDN links that have nothing to do with the issue will not yield any points!

Thanks,

Harald

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

frank_friedrich
Contributor
‎09-27-2007 10:13 AM
0 Kudos

Hi Harald,

so you get as well from me a link at sdn.....

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/e2ddd63d-0b01-0010-46bb-e09...

it is a code sample for Implementing a Read-Only Security Manager.

And don't forget to reward a lot of points.

All joking aside.

The main point is what you have mentioned: defining a repository with read permission to everybody means everybody can access the files even they doen't have a role with an Navigation iView. You can as well use Explorer do enter the WebDAV Url to this repository and everybody can access the pdf files.

There are a few of conceptionals solutions for your issue.

One solution could be to implement your own security manager. See the URL with a code sample. You have to assign this security manager to your repository instead of using the aclSecurityManager.

Your own security manager has to read the portal user name, afterwords the employee numer of your W2 table and have a look in your W2 index table if the user is allowed to open the file.

The advantage of implementing your own security manager is you can now use every portal / km service and iView. That means you can use TREX for indexing, your can use the KM Navigation iView and so on.

The disadvantage: for every file in the repository the security manager will be called. That's why this coding (of your security manager) must have a (very) good performance.

Best Regards

Frank

Show replies
Show replies
Former Member
‎09-27-2007 7:34 PM
0 Kudos

Hello Frank!

Thanks for the link - I already got that one though but still I gave you 'lots' of points for at least taking the time and replying. We disabled WebDAV to prevent users mapping to KM folders.

It looks like creating your own security manager is the way to go with caching enabled to prevent performance issues.

If I don't get any other answers then I will close this thread and award you full points.

Thanks again for your help,

Harald

Answers (0)

Ask a Question