Show
all
When adding an attachment to a
work object, you can assign an attachment category rule to it.
Categories are applied when you invoke an attachment-related flow action
(typically a local action) such as adding a note or a screen shot. The
category signifies the business purpose of the attachment such as expense
reports or medical claims. GRP-463
You configure a category rule to support specific attachment types
(note, file, and so on) and restrict users from performing specific
operations such as creating, viewing, editing, or deleting the
attachment. You can also configure the rule so that the operator adding
the attachment can restrict specific work groups from accessing it.
Create an
Attachment Category rule
Create the rule and define the attachment types that can use the
category. Do the following:
- Create a new instance of
Rule-Obj-AttachmentCategory. This rule is in the
Security category. Specify the appropriate work class and a
category name that defines the context in which the category will
be used; for example ExpenseReport.
You can use a new rule and its settings to override the attachment
categories that were created prior to V5.5. This enables you to
take advantage of the rule's new security features. To do so,
enter the existing category's name in the Category
Name field. Existing categories, if not upgraded, function
as originally configured. See More
about Attachment Category rules. - On the Availability tab in the rule
form, select the attachment type checkboxes to which the category
applies. For example, you can create a category that applies to all
the standard types except for screenshot by deselecting the
Screenshot checkbox.
Do note leave all the Attachment Types
fields blank in the Availability tab.
Doing so makes the attachment category rule inaccessible.
During processing, if the operator selects Attach a Screenshot in
the Take Action section, the ExpenseReport category does not appear
in the Category drop-down list. If no other custom screenshot
categories are available, the standard screenshot attachment
category appears as a grayed out selection in the display (unless
you have overridden the standard rule using the same category name
for your copy such as Screenshot, Note, and so on). The standard
rule has no security settings.
Define the security
settings
Select the
Security tab to configure the
security settings. You can
restrict
user operations on attachments based on privileges and when rules
entered in the
Access Control List by Privilege and
Access Control List by When arrays. The outcome of
the evaluations determines whether the user can perform one or more of
these operations:
- Create
- View
- Edit
- Delete (attachment created by any user)
- Delete Own (delete attachment created by the user)
Leave the entire array blank if you do not want to enable security
to the category.
You can also configure the rule so that when operators add an
attachment, they can specify which work groups can access that
attachment regardless of the category rule settings.
Examples
Example 1: Using a when rule
In this example, you use a when rule to allow operators in the work
object's organization unit the ability to add an attachment. They
will not have read, write, or delete privileges.
- Create an attachment category rule called Expense Report
in your work class.
- On the Security tab select only the
Create checkbox enabling the operator to perform
this operation if the when rule evaluates to true. Leave the other
checkboxes empty.
- Select a when rule in the Access Control List by When Rule
section that will evaluate to true when you invoke the local
action. In this example, the standard rule
AnybodyInTheWorkObjectOrgUnit is used, which tests
whether the operator's organization unit is on the object's
work page.
- On the Availability tab, select all
the attachment type checkboxes.
- In a flow rule, create an AttachANote local action in an
assignment.
- Run the flow. In the Take Action section on the work form,
select the Attach a Note local action and enter text in the
fields.
- Select ExpenseReport in the Category drop-down
list.
- Click Submit.
- Click the History and Attachment button ( ) to display the attachments list.
- Select the note. A warning message displays stating that you do
not have the necessary privileges to open it. In addition, the
Delete button ( ) is disabled
(grayed out) because the category rule restricts that
operation
If you use multiple when rules, permission is given only if they all evaluate to true.
Example 2: Using a when rule and a privilege
Using a combination of when rules and privileges, you can define
conditions so that a specific requestor is allowed a specific
capability while disallowing another. All when rules must evaluate to true before privileges are evaluated.
Using the above example, add the privilege
ReconcileProblemWork in the Privileges
Name array and select the Edit and
View checkboxes. The settings allow the
following:
- Operators with the privilege in the attachment organization can
edit, view, and create an attachment as defined by the when
rule
- Operators with the privilege but fail the when rule can only
edit and view.
- Operators that pass the when rule but do not have the privilege
can only create.
Do not leave all the operation checkboxes
blank if you enter a when rule or a privilege. Doing so makes the
category inaccessible.
Example 3: Using work group security at
the attachment level
You may want to secure access to attachments on work objects that
are routed to specific work groups. You can set the Enable
Attachment Level Security option on the attachment category
rule form to enforce this restriction. When adding an attachment in a
local action, the operator can optionally specify one or more work
groups that can access to the attachment (as defined by the rule's
security settings). Operators in excluded work groups are restricted
from all operations including add, view, edit, and delete.
Attachment-level security takes effect after the attachment is added
and the work object is submitted.
To test the option, do the
following:
- In the ExpenseReport attachment category rule, select all the
operation checkboxes on the Security
tab.
- Keep the same when rule you used in Example 1.
- Click the Enable Attachment Level Security
checkbox.
- Keep the settings on the Availability tab as used in Example 1.
- Run the flow and attach a note in the assignment.
- In the Take Action section, select the Enable
Security checkbox. This displays the Category
Limit access to: drop-down list.
- Select a work group that you do not belong to.
- Click Submit and open the attachment
list.
- Select the note. It does not open and a warning message
displays even though you met the when rule condition defined by the
category rule.
By default, this option does not include the operator's
own work group. To enable access, the operator must add it to the work
group access list.
Updates to security
settings
You can update the Attachment Category rule form to modify access
to existing attachments.
For instance, if you removed the privilege in the Expense Report
category rule in Example 2, operators who formerly had read and edit
access are then denied those operations when attempting to open an
attachment in the category. Similarly, if you deselect the
Enable Attachment Level Security option, the
restriction is no longer in effect; the category rule applies to
operators in all work groups.
Process category