Show all
When adding an attachment to a work object, you can assign an attachment category rule to
it. Categories are applied when you invoke an attachment-related flow action (typically a local action) such as adding a note or a screen shot. The category signifies the business purpose of the attachment such as expense reports or medical claims.
You configure a category rule to support specific attachment types (note, file, and so on) and restrict users from performing specific operations such as creating, viewing, editing, or deleting the attachment. You can also configure the rule so that the operator adding the attachment can restrict specific work groups from accessing it.
Create an Attachment Category rule
Create the rule and define the attachment types that can use the category. Do the following:
- Create a new instance of Rule-Obj-AttachmentCategory. This rule is in the Security category. Specify the appropriate work class and a category name that defines the context in which the category will be used; for example ExpenseReport.
You can use a new rule and its settings to override the attachment categories that were created prior to V5.5. This enables you to take advantage of the rule's new security features. To do so, enter the existing category's name in the Category Name field. Existing categories, if not upgraded, function as originally configured. See More about Attachment Category rules. - On the Availability tab in the rule form, select the attachment type check boxes to which the category applies. For example, you can create a category that applies to all the standard types except for screenshot by deselecting the Screenshot check box.
Do note leave all the Attachment Types fields blank in the Availability tab. Doing so makes the attachment category rule inaccessible.
During processing, if the operator selects Attach a Screenshot in the Take Action section, the ExpenseReport category does not appear in the Category drop-down list.
If no other custom screenshot categories are available, the standard screenshot attachment category appears as a grayed out selection in the display (unless you have overridden the standard rule
using the same category name for your copy such as Screenshot, Note, and so on). The standard rule has no security settings.
Define the security settings
Select the
Security tab to configure the security settings. You can
restrict user operations on attachments based on privileges and when rules entered in the
Access Control List by Privilege and
Access Control List by When arrays.
The outcome of the evaluations determines whether the user can perform one or more of these operations:
- Create
- View
- Edit
- Delete (attachment created by any user)
- Delete Own (delete attachment created by the user)
Leave the entire array blank if you do not want to enable security to the category.
You can also configure the rule so that when operators add an attachment, they can specify which work groups can access that attachment regardless of the category rule settings.
Examples
Example 1: Using a when rule
In this example, you use a when rule to allow operators in the work object's organization unit the ability to add an attachment. They will not have read, write, or delete privileges.
- Create an attachment category rule called Expense Report in your work class.
- On the Security tab select only the Create check box enabling the operator to perform this operation if the when rule evaluates to true. Leave the other check boxes empty.
- Select a when rule in the Access Control List by When Rule section that will evaluate to true when you invoke the local action. In this example, the standard rule AnybodyInTheWorkObjectOrgUnit is used, which tests whether the operator's organization unit is on the object's work page.
- On the Availability tab, select all the attachment type check boxes.
- In a flow rule, create an AttachANote local action in an assignment.
- Run the flow. In the Take Action section on the work form, select the Attach a Note local action and enter text in the fields.
- Select ExpenseReport in the Category drop-down list.
- Click Submit.
- Click the History and Attachment button ( ) to display the attachments list.
- Select the note. A warning message displays stating that you do not have the necessary privileges to open it. In addition, the Delete button ( ) is disabled (grayed out) because the category rule restricts that operation.
Example 2: Using a when rule and a privilege
Using a combination of when rules and privileges, you can define conditions so that a specific requestor is allowed a specific capability while disallowing another.
Using the above example, add the privilege ReconcileProblemWork in the Privileges Name array and select the Edit and View check boxes. The settings allow the following:
- Operators with the privilege in the attachment organization can edit, view, and create an attachment as defined by the when rule
- Operators with the privilege but fail the when rule can only edit and view.
- Operators that pass the when rule but do not have the privilege can only create.
Do not leave all the operation check boxes blank if you enter a when rule or a privilege. Doing so makes the category inaccessible.
Example 3: Using work group security at the attachment level
You may want to secure access to attachments on work objects that are routed to specific work groups. You can set the Enable Attachment Level Security option on the attachment category rule form to enforce this restriction. When adding an attachment in a local action, the operator can optionally specify one or more work groups that can access to the attachment (as defined by the rule's security settings). Operators in excluded work groups are restricted from all operations including add, view, edit, and delete. Attachment-level security takes effect after the attachment is added and the work object is submitted.
To test the option, do the following:
- In the ExpenseReport attachment category rule, select all the operation check boxes on the Security tab.
- Keep the same when rule you used in Example 1.
- Click the Enable Attachment Level Security check box.
- Keep the settings on the Availability tab as used in Example 1.
- Run the flow and attach a note in the assignment.
- In the Take Action section, select the Enable Security check box. This displays the Category Limit access to: drop-down list.
- Select a work group that you do not belong to.
- Click Submit and open the attachment list.
- Select the note. It does not open and a warning message displays even though you met the when rule condition defined by the category rule.
By default, this option does not include the operator's own work group. To enable access, the operator must add it to the work group access list.
Updates to security settings
You can update the Attachment Category rule form to modify access to existing attachments.
For instance, if you removed the privilege in the Expense Report category rule in Example 2, operators who formerly had read and edit access would be denied those operations when attempting to open an attachment in the category. Similarly, if you deselect the Enable Attachment Level Security option, the restriction is no longer in effect; the category rule applies to operators in all work groups.
Process category