Back Forward How to use attachment categories

When adding an attachment to a work item, you can assign an attachment category rule to it. Categories are applied when you invoke an attachment-related flow action (typically a local action) such as adding a note or a screen shot. The category signifies the business purpose of the attachment such as expense reports or medical claims. GRP-463

You configure a category rule to support specific attachment types (note, file, and so on) and restrict users from performing specific operations such as creating, viewing, editing, or deleting the attachment. You can also configure the rule so that the operator adding the attachment can restrict specific work groups from accessing it. Attachment categories can also be used to maintain document versions.

Create an Attachment Category rule

Create the rule and define the attachment types that can use the category. Do the following:

  1. Create a new Attachment Category rule (an instance of Rule-Obj-AttachmentCategory). This rule type is in the Security category. Specify the appropriate work class and a category name that defines the context in which the category will be used; for example ExpenseReport.

    You can use a new rule and its settings to override the attachment categories that were created prior to V5.5. This enables you to take advantage of the rule's new security features. To do so, enter the existing category's name in the Category Name field. Existing categories, if not upgraded, function as originally configured. See More about Attachment Category rules.
  2. On the Availability tab in the rule form, select the attachment type checkboxes to which the category applies. For example, you can create a category that applies to all the standard types except for screenshot by deselecting the Screenshot checkbox.
    Do note leave all the Attachment Types fields blank in the Availability tab. Doing so makes the attachment category rule inaccessible.
    During processing, if the operator selects Attach a Screenshot in the Take Action section, the ExpenseReport category does not appear in the Category drop-down list. If no other custom screenshot categories are available, the standard screenshot attachment category appears as a grayed out selection in the display (unless you have overridden the standard rule using the same category name for your copy such as Screenshot, Note, and so on). The standard rule has no security settings.

Define the security settings

Select the Security tab to configure the security settings. You can restrict user operations on attachments based on privileges and when rules entered in the Access Control List by Privilege and Access Control List by When arrays. The outcome of the evaluations determines whether the user can perform one or more of these operations:

Leave the entire array blank if you do not want to enable security to the category.

You can also configure the rule so that when operators add an attachment, they can specify which work groups can access that attachment regardless of the category rule settings.

Examples

Example 1: Using a when rule

In this example, you use a when rule to allow operators in the work item's organization unit the ability to add an attachment. They will not have read, write, or delete privileges.

  1. Create an attachment category rule called Expense Report in your work class.
  2. On the Security tab select only the Create checkbox enabling the operator to perform this operation if the when rule evaluates to true. Leave the other checkboxes empty.
  3. Select a when rule in the Access Control List by When Rule section that will evaluate to true when you invoke the local action. In this example, the standard rule AnybodyInTheWorkObjectOrgUnit is used, which tests whether the operator's organization unit is on the object's work page.
  4. On the Availability tab, select all the attachment type checkboxes.
  5. In a flow rule, create an AttachANote local action in an assignment.
  6. Run the flow. In the Take Action section on the work form, select the Attach a Note local action and enter text in the fields.
  7. Select ExpenseReport in the Category drop-down list.
  8. Click Submit.
  9. Click the History and Attachment button ( ) to display the attachments list.
  10. Select the note. A warning message displays stating that you do not have the necessary privileges to open it. In addition, the Delete button () is disabled (grayed out) because the category rule restricts that operation

If you use multiple when rules, permission is given only if they all evaluate to true.

Example 2: Using a when rule and a privilege

Using a combination of when rules and privileges, you can define conditions so that a specific requestor is allowed a specific capability while disallowing another. All when rules must evaluate to true before privileges are evaluated.

Using the above example, add the privilege ReconcileProblemWork in the Privileges Name array and select the Edit and View checkboxes. The settings allow the following:

Do not leave all the operation checkboxes blank if you enter a when rule or a privilege. Doing so makes the category inaccessible.

Example 3: Using work group security at the attachment level

You may want to secure access to attachments on work items that are routed to specific work groups. You can set the Enable Attachment Level Security option on the attachment category rule form to enforce this restriction. When adding an attachment in a local action, the operator can optionally specify one or more work groups that can access to the attachment (as defined by the rule's security settings). Operators in excluded work groups are restricted from all operations including add, view, edit, and delete. Attachment-level security takes effect after the attachment is added and the work item is submitted.

To test the option, do the following:
  1. In the ExpenseReport attachment category rule, select all the operation checkboxes on the Security tab.
  2. Keep the same when rule you used in Example 1.
  3. Click the Enable Attachment Level Security checkbox.
  4. Keep the settings on the Availability tab as used in Example 1.
  5. Run the flow and attach a note in the assignment.
  6. In the Take Action section, select the Enable Security checkbox. This displays the Category Limit access to: drop-down list.
  7. Select a work group that you do not belong to.
  8. Click Submit and open the attachment list.
  9. Select the note. It does not open and a warning message displays even though you met the when rule condition defined by the category rule.

By default, this option does not include the operator's own work group. To enable access, the operator must add it to the work group access list.

Updates to security settings

You can update the Attachment Category rule form to modify access to existing attachments.

For instance, if you removed the privilege in the Expense Report category rule in Example 2, operators who formerly had read and edit access are then denied those operations when attempting to open an attachment in the category. Similarly, if you deselect the Enable Attachment Level Security option, the restriction is no longer in effect; the category rule applies to operators in all work groups.

About attachment versioning

Assuming that the category's business purpose is clearly defined (invoice or expense report, for example), users can use categories to identify and maintain multiple document versions as described in the following example:

  1. A user opens a case, displays the Audit window, and clicks Add> Add a File in the Attachments sections to open the File Attachment pop-up dialog.
  2. In the dialog, the user selects the file, enters the name, selects the category (Invoice), and clicks OK to attach the document.
  3. Later, another user (with edit and create privileges) opens the same case, opens the attached document, saves a copy locally, and edits it.
  4. The user then uses the pop-up dialog to add the revised copy as a new attachment. The user enters a name (the original name can be used — the date/time stamp differentiates them), selects the Invoice category, selects the revised document, and clicks OK to add the new version.

    Under the Invoice category array, the new version appears above the original.

Users can review any version. Outgoing email activities send only the top/latest version. See About audit trails, case narratives, and attachments.

To associate an attachment category with a case type, use the Attachments option on the Case Explorer Details tab. See Case Type rules - Completing the Attachment Categories tab.

Definitionsattachment, attachment type, work type, sample application
Related topicsAbout Access of Role to Object rules
About Attachment Category rules
About Privilege rules

UpProcess category