Symptom
- "No permission to access the attached file" error received when saving MDF record
- Also, when performing an upsert (with user: API_USER) results in the error "No permission to access the attached file [attachmentName.pdf]. Attachment in field [cust_attachmentField] does not belong to the user [API_USER]. with the index 0"
Environment
SAP SuccessFactors HXM Core
Reproducing the Issue
Performing an upsert (with user: API_USER) similar to the following results in the error:
(i.e. creating a new cust_ProgressiveDisciplinaryAction record for user: ChanA and associating this record with attachmentId=8361 which already exists in the Attachment object)
POST https://apisalesdemo4.successfactors.com/odata/v2/upsert?$format=json
Cause
This is expected behavior.
The error is thrown because userId value stored in Attachment(8361) is not the user: API_USER who is creating the cust_ProgressiveDisciplinaryAction record
The user: API_USER is not authorized to access this attachment because the userId field maintained in this attachment is not "API_USER"
You need to use admin user/user who has the access to that attachment. When an attachment is uploaded and saved, we record who is actual owner of the attachment (in this case the user who has uploaded and saved). For security reason the attachment is only accessible to that user only.
For example: If the attachment related to payroll, then the user for whom document belongs to should be able access it. Other user should not be able to access those documents. This is for security reasons.
Attachment cannot be set using rule. This is wrong configuration.
Resolution
Kindly be informed SuccessFactors does not support this functionality as it is a security breach. Therefore, there is currently no way a single attachment can be accessed by all users (on their own profile). Any given attachment belongs to a specific user’s record, and shared attachment concept is not supported anywhere in SuccessFactors - not just the MDF.
The user who is creating the custom MDF record must be the same user who is maintained in the userId field of the Attachment object/entity.
To verify what userId is maintained for a given Attachment record, the following OData API request can be used: https://apisalesdemo4.successfactors.com/odata/v2/Attachment(8360)?$select=userId (change to your own endpoint & attachmentId accordingly)
Additional Note: As a workaround / alternative for such use-cases (custom MDF with associated Attachments)
- You can also validate the use of OAuth 2.0 Authentication - this would result in the user creating their own custom MDF record
- This could be useful in situations where existing Attachment records that already reference an employee's userId need to be associated to custom MDF object records
Keywords
OData, API, upsert, Attachment, attachmentId, custom, cust_, MDF, userId, permission, does not belong to, INC2357784 , KBA , LOD-SF-MDF-WFL , Custom Object based Workflows , LOD-SF-INT-ODATA , OData API Framework , How To