Admins can enable attachments by document type, either at the base document level or for individual types, subtypes, and classifications. Admins can also enable attachments on any standard or custom object through the object configuration.

Contact Veeva Support to enable the Attachments relationship type to be source version-specific, target version-specific, or both. When attachments become source version-specific, Vault assigns any pre-existing attachments to the latest and latest Steady state versions of their source documents. When attachments become target version-specific, Vault assigns all attachment versions to corresponding document versions. Vault sends you a notification when the assignment job completes. Vault also logs assignments in the audit trail so that you can see which attachment versions relate to which document versions.

By default, Vault controls attachment interaction with role-based document permissions.

  • Document: View Document permission allows users to view and download attachments.
  • Document: Edit Relationships permission allows users to add, delete, and version document attachments.

Permission sets assigned through the security profile control how users interact with object record attachments:

  • Object: Read permission allows any user who can access an object record (through Business Admin > Objects or through a custom tab) to view and download attachments.
  • Object: Edit permission (assigned individually for each object type) allows users to add, delete, and version object record attachments.

Securing Object Attachments

Securing object attachments gives you more control over how users in your Vault can interact with attachments on object records. This includes deleting, uploading, and viewing attachments.

To enable attachment security on an object, navigate to Admin > Configuration > Objects > [Object] > Details and select the Use Action Security to control attachments checkbox. This checkbox is only available if the Allow attachments setting is enabled on the object first. This option is off by default when creating custom objects. With this option disabled, attachment security functions as it did in previous releases.

When you enable this setting, Vault adds the following object actions to the object:

  • Attachments: Delete
  • Attachments: Edit Descriptions
  • Attachments: Upload
  • Attachments: View and Download

You can then edit permissions for these actions for applicable permission sets.

Permission

Access Details

Attachments: Delete: View

Users can see the Delete action on an attachment but cannot use it.

Attachments: Delete: Execute

Users can see and use the Delete action on an attachment.

Attachments: Edit Descriptions: View

Users can see the Edit Description icon but cannot use it.

Attachments: Edit Descriptions: Execute

Users can see and use the Edit Descriptions icon.

Attachments: Upload: View

Users can see the Upload button in the Attachments section and the Restore action on the attachment's version history but cannot use either.

Attachments: Upload: Execute

Users can see and use the Upload button in the Attachments section and the Restore action on an attachment.

Attachments: View and Download: View

Users can see and interact with the Attachments section and view attachments in the viewer. Users cannot see the Download button.

Attachments: View and Download: Execute

Users can see and interact with the Attachments section and view attachments in the viewer. Users can see and use the Download button.

  • For each attachment action, if a user has neither View nor Execute permission, the associated action, section, or button will not be visible.
  • If a permission set grants Edit or Delete permission on the object, all of the above actions will have Execute permission by default. If the permission set grants only Read permission, the Attachments: View and Download action will have Execute permission by default.
  • Disabling the Use Action Security to control attachments setting removes these object actions from the object and deletes permission set entries that reference these actions. Additionally, attachment security will default to its legacy behavior.
  • For further security, enable Atomic Security on the object to control attachment actions by lifecycle and/or roles.