SAP Knowledge Base Article - Public

3045383 - OData API: No permission to access the attached file [attachment_name.pdf]. Attachment in field [cust_attachmentField] does not belong to the user [userId]. with the index 0

Symptom

You are upserting data to a custom MDF object (e.g. cust_ProgressiveDisciplinaryAction) via OData API.

  • One of fields in the custom MDF is defined as Type: Attachment (e.g cust_AttachmentNav):
      

      
  • You receive an error like below when upserting attachment data to the field defined as Type: Attachment
     
    No permission to access the attached file [attachmentName.pdf]. Attachment in field [cust_attachmentField] does not belong to the user [API_USER]. with the index 0 
   

Environment

  • SAP SuccessFactors HXM Core
  • OData API

  

Reproducing the Issue

Performing an upsert (with user: API_USER) similar to the following results in the error shown in title & symptom section

(i.e. creating a new cust_ProgressiveDisciplinaryAction record for user: ChanA and associating this record with attachmentId=8361 which already exists in the Attachment object)

  
1. OData API Request Payload Example:
  
POST https://apisalesdemo4.successfactors.com/odata/v2/upsert?$format=json
  
{
    "__metadata": {
        "uri": "cust_ProgressiveDisciplinaryAction",
        "type": "SFOData.cust_ProgressiveDisciplinaryAction"
    },
    "effectiveStartDate": "/Date(1562740107000)/",
    "externalCode": "ChanA",
    "cust_AttachmentsNav":{"__metadata":
    {
        "uri":"Attachment(attachmentId=8361)"
        }
    }
}
 
  
2. OData API Response Payload Example:
  
{
    "d": [
        {
            "key": "cust_ProgressiveDisciplinaryAction/effectiveStartDate=2019-07-10T00:00:00.000-04:00,cust_ProgressiveDisciplinaryAction/externalCode=ChanA",
            "status": "ERROR",
            "editStatus": null,
            "message": "No permission to access the attached file Testpdf2.pdf. Attachment in field cust_Attachments does not belong to the user API_USER. with the index 0",
            "index": 0,
            "httpCode": 500,
            "inlineResults": null
        }
    ]
}
   

Cause

The error is thrown because userId value stored in Attachment(8361) is not the user: API_USER who is creating the cust_ProgressiveDisciplinaryAction record

The user: API_USER is not authorized to access this attachment because the userId field maintained in this attachment is not "API_USER"

  

Resolution

The user who is creating the custom MDF record must be the same user who is maintained in the userId field of the Attachment object/entity.

  

Additional Note: As a workaround / alternative for such use-cases (custom MDF with associated Attachments)

  • You can also validate the use of OAuth 2.0 Authentication - this would result in the user creating their own custom MDF record
      
  • This could be useful in situations where existing Attachment records that already reference an employee's userId need to be associated to custom MDF object records

  

Keywords

OData, API, upsert, Attachment, attachmentId, custom, cust_, MDF, userId, permission, does not belong to,  , KBA , LOD-SF-INT-ODATA , OData API Framework , Problem

Product

SAP SuccessFactors HXM Core all versions