Manage Attachment Security

The privileges for accessing the attachments of an item are by default inherited from business objects.

You can further define the security of item attachments so that different users can have access to the same item but only have access to certain categories of attachments to that item. For example, there may be multiple categories of objects (such as specifications, drawings, or financial documents) attached to an item. There may be multiple users such as buyer, design engineer, or accountant who have access privileges to the item. Though they all may have the same access to the item itself, their access to the attached objects may need to be restricted by attachment category. By default, all job roles are granted access to the predefined attachment category Miscellaneous.

Any security policy defined for an attachment category is enforced on all business objects to which the attachment category is associated only if those business objects are enabled for attachment security.

To provide attachment security, perform the following tasks:

These tasks aren't specific to attachment security, but are required prerequisites, to be performed once for each attachment category:
- Create attachment categories.
- Assign the attachment categories to item classes.
These tasks are specific to attachment security:
- Define data security policies, which apply to attachment categories.
- Enable data security policies for selected business objects.

Creating Attachment Categories

Attachment data security is implemented by using attachment categories. Attachment categories affect access to attachments through the item classes for the items being edited. Attachment data security can be assigned individually at the user level. It can also be assigned at the group level through job roles. You create attachment categories using the Manage Attachment Categories task in the Setup and Maintenance work area. You associate each attachment category with attachment entities that represent business objects: items, item revisions, catalogs, categories, and trading partner items.

Assigning Attachment Categories to Item Classes

You assign attachment categories to item classes using the Manage Item Classes task in the Setup and Maintenance work area. While editing an item class, you associate it with one or more attachment categories for which you want to provide security. This association is required only for attachment categories that are associated with attachment entities at the item level and item revision level. Since attachment categories are inherited down through the item class hierarchy, you can associate an attachment category with all item classes by assigning it to the Root Item Class.

Defining Data Security Policies

A data security policy is defined by a set of allowable actions on a database resource (such as an attachment category) for a job role. When that role is provisioned to a user, the user has access to the data defined by the policy. That is, an attachment data security policy defines who (defined as a job role) can perform what operations (such as read, update, or delete) on which set of attachment categories, according to a defined condition.

To define a data security policy for an attachment category:

Sign in as IT security manager.
In the Setup and Maintenance work area, go to the following:
- Offering: Product Management
- Functional Area: Users and Security or Application Extensions
- Task: Manage Data Security Policies
The Security Console is automatically launched by the Manage Data Security Policies task. You can also open the Security Console directly from the Navigator.
On the General subtab of the Administration tab of the Security Console, click Manage Database Resources.

A database resource defines an instance of a data object. A data object is a table, view, or flexfield.
On the Manage Database Resources and Policies page, search for the Display Name equal to Application Attachment Category. The category appears in the search results, with an Object Name of FND_DOCUMENT_CATEGORIES

The data security policies defined for the selected database resource appear in the Policies Details region.
In the Search Results region for the selected database resource, select Edit from the Actions menu.
On the Condition tab of the Edit Data Security page, select Create from the Actions menu.

In the Create Database Resource Condition dialog box, name the condition and specify the attachment categories in scope for the data security policy.

The following table suggests values for an example condition:

Field	Value
Name	IPDrawings
Display Name	IPDrawings
Description	IP Drawings-Restricted to R&D
Condition Type	SQL predicate You can also specify the condition as a filter on a table or view.
SQL Predicate	`category_name in ('Sketches')` The SQL predicate consists of a query on the table or view named by the database resource (in this example, FND_DOCUMENT_CATEGORIES). The category name specified in the predicate must exactly match the name that you specified when you created the attachment category.

On the Policy tab of the Edit Data Security page, select Create from the Actions menu.
On the General Information tab of the Create Policy dialog box, specify the module. By default, the Module field is the module associated with the database resource for which you're creating the policy.
On the Role tab of the Create Policy dialog box, select fscm in the Application list, then search for and select the role names to be assigned the new policy.
On the Rule tab of the Create Policy dialog box, select Multiple Values in the Row Set field, then search for and select in the Condition field for the name of the condition that you created, such as the example here, Secured Attachments for Product Hub.
On the Action tab of the Create Policy dialog box, move actions from the Available Actions list to the Selected Actions list to specify the actions that are applicable to the data secured on the database resource, which you want to grant to the roles you selected.
On the Edit Data Security page, click Submit to update the database resource FND_DOCUMENT_CATEGORIES.
On the Manage Database Resources and Policies page, click Done.

Enabling Attachment Data Security for Business Objects

You can enable and disable attachment security at the level of business objects. When you enable attachment security for a specific business object, then attachment security is enforced for every attachment category assigned to the business object. Note that, by default, all job roles are granted access to the predefined attachment category Miscellaneous.

To enable your data security policies on attachment categories:

Sign in with implementation consultant privileges.
In the Setup and Maintenance work area, go to the following:
- Offering: Product Management
- Functional Area: Application Extensions
- Task: Manage Applications Core Attachment Entities

On the Manage Attachment Entities page, you will search for and select each of the attachment entities that you previously assigned to the attachment categories that you created. Attachment entities represent business objects: items, item revisions, catalogs, categories, and trading partner items.

Enter one of the following attachment entity names in the Entity Name field and click Search. The attachment category that you created should appear in the Attachment Categories region for the selected attachment entity.

Business Object Attachment Association Level	Attachment Entity Name
Item Level	ITEM_ENTITY
Item Revision Level	ITEM_REVISION_ENTITY
Trading Partner Level	EGP_TRADING_PARTNER_ITEMS
Catalog Level	CATALOG_ENTITY
Category Level	CATEGORY_ENTITY

For each selected attachment entity in the search results, click Enable Security.
When you have enabled security on all the desired attachment entities, click Save and Close.
On the Setup page, search for and open the Run User and Roles Synchronization Process task from the Initial Users functional area.
Submit the scheduled process to complete enabling security on attachments.