New article
Recently updated
Preventing users from editing attachments on active documents without following the draft and approval workflow
Who is this article for?
Administrators who need to prevent users from editing attachments on active documents without following the draft and approval workflow.
Required access: Administration, select Security, then People. Also access to the Document module.
This issue occurs when a user’s effective permissions allow attachment edits while a document is in active status. Restrict edit permissions to draft only to ensure all changes follow the revision and approval workflow.
1. Symptoms
- Users download a file from an active document, edit it, and their changes appear to overwrite the stored attachment.
- Test or support environments behave correctly in read‑only mode, while production does not, indicating a permissions configuration difference.
2. Expected control model
- Active documents must be read‑only. Users may view, download and print but must not be able to replace attachments.
- To change attachments, users must revise the document to create a draft, optionally use check‑out and check‑in, and route the updated version through approval.
3. Permissions to audit and how to set them
Review a user’s effective permissions and the rules applied within each group. Use status‑based rules to prevent edits when a document is active.
| Permission | What it allows | Recommended rule |
|---|---|---|
| Document Edit Attachment | Add, replace or delete attachments. | Restrict to draft (rule: document status = draft). Do not allow on active. |
| Document Edit | Edit document properties such as owner, author and related items. | Restrict to draft or restrict further by document type or department. Do not allow edits on active. |
| Document Revise and Document Check In/Out | Create a draft revision and manage check‑in/check‑out. | Assign only to roles authorised to change document content. |
| Document View, Attachment Save and Send, Document Read | View, download and print documents and attachments without replacing them. | Assign to general readers of active documents. |
4. Check a user’s effective permissions
- Open Administration, select Security, then People.
- Open the user, select Permissions and select View Effective.
- Check whether Document Edit Attachment or Document Edit applies to active documents.
- Open Administration, select Security, then Groups.
- Open each group the user belongs to and select View Effective to confirm inherited permissions and rules.
5. Tighten rules to block edits on active
- Open Administration, select Security, then Groups.
- Open the group that grants editing rights and edit the rule for Document Edit Attachment.
- Set document status = draft or draft and draft approved, depending on your workflow.
- Optionally restrict by document type or related department.
- Repeat the same configuration for Document Edit so that metadata cannot be edited on active documents.
- Apply your changes and test with the affected user profile.
6. Hardening checklist
- Readers only: Document Read, Document View and Attachment Save and Send. No edit permissions applied.
- Editors: Document Revise and Check In/Out, plus Document Edit Attachment and Document Edit restricted strictly to draft.
- Always confirm changes using View Effective at both user and group level.
7. Troubleshooting
- Edits still possible on active: Check whether another group includes editing permissions with a broad rule.
- Different behaviour across environments: Compare effective permissions side by side to identify mismatches.
- Users cannot revise: Ensure Document Revise and Document Check In/Out are assigned correctly.