In testing Row-level Security to restrict users from accessing certain Customers and their related transactions, I found that if you attach any files to a Customer’s transactions those files are visible and accessible via Search for users who are actually restricted from those Customers. Even though the restricted users can’t see or access the Customer and their transactions they can see all file attachments to those Customers and transactions that are restricted.
The only way I can tell to address this hole is to restrict access to the File Maintenance screen to all users and hope that plugs the hole and doesn’t restrict them from adding attachments to records. Testing will hopefully produce results in our favor.
Anyone run into this before and have a strong understanding on how to work with it so that attachments follow the same Row-level Restrictions as the Entities and Records they are attached to?