How to use attachment categories

Create the rule and define the attachment types that can use the category. Do the following:

1. Create a new instance of Rule-Obj-AttachmentCategory. This rule is in the Security category. Specify the appropriate work class and a category name that defines the context in which the category will be used; for example ExpenseReport.
   
   You can use a new rule and its settings to override the attachment categories that were created prior to V5.5. This enables you to take advantage of the rule's new security features. To do so, enter the existing category's name in the Category Name field. Existing categories, if not upgraded, function as originally configured. See More about Attachment Category rules.
2. On the Availability tab in the rule form, select the attachment type checkboxes to which the category applies. For example, you can create a category that applies to all the standard types except for screenshot by deselecting the Screenshot checkbox.
   Do note leave all the Attachment Types fields blank in the Availability tab. Doing so makes the attachment category rule inaccessible.
   During processing, if the operator selects Attach a Screenshot in the Take Action section, the ExpenseReport category does not appear in the Category drop-down list. If no other custom screenshot categories are available, the standard screenshot attachment category appears as a grayed out selection in the display (unless you have overridden the standard rule using the same category name for your copy such as Screenshot, Note, and so on). The standard rule has no security settings.

Select the Security tab to configure the security settings. You can restrict user operations on attachments based on privileges and when rules entered in the Access Control List by Privilege and Access Control List by When arrays. The outcome of the evaluations determines whether the user can perform one or more of these operations:

• Create
• View
• Edit
• Delete (attachment created by any user)
• Delete Own (delete attachment created by the user)

Leave the entire array blank if you do not want to enable security to the category.

You can also configure the rule so that when operators add an attachment, they can specify which work groups can access that attachment regardless of the category rule settings.

Example 1: Using a when rule

In this example, you use a when rule to allow operators in the work object's organization unit the ability to add an attachment. They will not have read, write, or delete privileges.

1. Create an attachment category rule called Expense Report in your work class.
2. On the Security tab select only the Create checkbox enabling the operator to perform this operation if the when rule evaluates to true. Leave the other checkboxes empty.
3. Select a when rule in the Access Control List by When Rule section that will evaluate to true when you invoke the local action. In this example, the standard rule AnybodyInTheWorkObjectOrgUnit is used, which tests whether the operator's organization unit is on the object's work page.
4. On the Availability tab, select all the attachment type checkboxes.
5. In a flow rule, create an AttachANote local action in an assignment.
6. Run the flow. In the Take Action section on the work form, select the Attach a Note local action and enter text in the fields.
7. Select ExpenseReport in the Category drop-down list.
8. Click Submit.
9. Click the History and Attachment button ( ) to display the attachments list.
10. Select the note. A warning message displays stating that you do not have the necessary privileges to open it. In addition, the Delete button () is disabled (grayed out) because the category rule restricts that operation

If you use multiple when rules, permission is given only if they all evaluate to true.

Example 2: Using a when rule and a privilege

Using a combination of when rules and privileges, you can define conditions so that a specific requestor is allowed a specific capability while disallowing another. All when rules must evaluate to true before privileges are evaluated.

Using the above example, add the privilege ReconcileProblemWork in the Privileges Name array and select the Edit and View checkboxes. The settings allow the following:

• Operators with the privilege in the attachment organization can edit, view, and create an attachment as defined by the when rule
• Operators with the privilege but fail the when rule can only edit and view.
• Operators that pass the when rule but do not have the privilege can only create.

Do not leave all the operation checkboxes blank if you enter a when rule or a privilege. Doing so makes the category inaccessible.

Example 3: Using work group security at the attachment level

You may want to secure access to attachments on work objects that are routed to specific work groups. You can set the Enable Attachment Level Security option on the attachment category rule form to enforce this restriction. When adding an attachment in a local action, the operator can optionally specify one or more work groups that can access to the attachment (as defined by the rule's security settings). Operators in excluded work groups are restricted from all operations including add, view, edit, and delete. Attachment-level security takes effect after the attachment is added and the work object is submitted.

To test the option, do the following:

1. In the ExpenseReport attachment category rule, select all the operation checkboxes on the Security tab.
2. Keep the same when rule you used in Example 1.
3. Click the Enable Attachment Level Security checkbox.
4. Keep the settings on the Availability tab as used in Example 1.
5. Run the flow and attach a note in the assignment.
6. In the Take Action section, select the Enable Security checkbox. This displays the Category Limit access to: drop-down list.
7. Select a work group that you do not belong to.
8. Click Submit and open the attachment list.
9. Select the note. It does not open and a warning message displays even though you met the when rule condition defined by the category rule.

By default, this option does not include the operator's own work group. To enable access, the operator must add it to the work group access list.

You can update the Attachment Category rule form to modify access to existing attachments.

For instance, if you removed the privilege in the Expense Report category rule in Example 2, operators who formerly had read and edit access are then denied those operations when attempting to open an attachment in the category. Similarly, if you deselect the Enable Attachment Level Security option, the restriction is no longer in effect; the category rule applies to operators in all work groups.