Skip to main content

In testing Row-level Security to restrict users from accessing certain Customers and their related transactions, I found that if you attach any files to a Customer’s transactions those files are visible and accessible via Search for users who are actually restricted from those Customers.  Even though the restricted users can’t see or access the Customer and their transactions they can see all file attachments to those Customers and transactions that are restricted.

The only way I can tell to address this hole is to restrict access to the File Maintenance screen to all users and hope that plugs the hole and doesn’t restrict them from adding attachments to records.  Testing will hopefully produce results in our favor.

Anyone run into this before and have a strong understanding on how to work with it so that attachments follow the same Row-level Restrictions as the Entities and Records they are attached to?

@darinpaulsacumatica76 

We are looking into the same question.

We need to restrict people form seeing confidential attachments.

Thank you!


@mstuber64 

It seems that, at least in recent versions, the files attached to the Entity in the Restriction, in our case Customers, are indeed blocked from Users not in the Restriction Group.  The Transaction attachments are not.  We were able to restrict access to “File Maintenance” to block those restricted users from Files attached to Transactions and it did NOT prevent them from attaching their own files to the Entities they are allowed access to, but of course will restrict them from any actions that the File Maintenance Screen provides such as version management, deleting files, etc.  See if you can confirm the same.


@darinpaulsacumatica76 

Thank you for this additional information.

Once our customer decides how they want to handle the security and we are able to test this, I will get back to you with the results.

 


Reply