We have a requirement wherein we want the user to read, edit and delete attachments in the opportunites which are created by him.
We are trying to use Auth object CRM_ORD_OP with Partner function category as 0008, but it is not working. The user is able to read attachments from any document as of now.
Also we have other option to implement a Badi: CRM_DOC_AUTHORITY in which we can write some logic.
I want some suggestions from you. Which is the right approach? can we restrict the user only using auth objects?
If you have objects CRM_ORD_LP and CRM_ORD_OE inactive and in CRM_ORD_OP maintained only combination (for example):
Partner Function *
Partner Function Category 0008
then this should work 100%. Because that means that user will be able to open only his opportunities and consequently only this attachments.
But be sure that user doesn't have also ptivileges to authorization objects CRM_ORD_LP and CRM_ORD_OE in some other pfcg role.
And if you just change pfcg role, also be sure to reset buffers with /$sync otherwise in cache you can still have old privileges.