# Configuring Attachments

Admins can enable attachments by document type, either at the base document level or for individual types, subtypes, and classifications. Admins can also enable attachments on any standard or custom object through the object configuration.

Contact Veeva Support to enable the Attachments relationship type to be source version-specific, target version-specific, or both. When attachments become source version-specific, Vault assigns any pre-existing attachments to the latest and latest Steady state versions of their source documents. When attachments become target version-specific, Vault assigns all attachment versions to corresponding document versions. Vault sends you a notification when the assignment job completes. Vault also logs assignments in the audit trail so that you can see which attachment versions relate to which document versions.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Enabling version-specific relationships for attachments cannot be undone.</p>
    </div>
  </div>
</div>



## Related Permissions

By default, Vault controls attachment interaction with role-based document permissions.

  * Document: View Document permission allows users to view and download attachments.
  * Document: Edit Relationships permission allows users to add, delete, and version document attachments.

Permission sets assigned through the security profile control how users interact with object record attachments:

  * Object: Read permission allows any user who can access an object record (through **Business Admin > Objects** or through a custom tab) to view and download attachments.
  * Object: Edit permission (assigned individually for each object type) allows users to add, delete, and version object record attachments.

## Securing Object Attachments {#secure}

Securing object attachments gives you more control over how users in your Vault can interact with attachments on object records. This includes deleting, uploading, and viewing attachments.

To enable attachment security on an object, navigate to **Admin > Configuration > Objects > [Object] > Details** and select the **Use Action Security to control attachments** checkbox. This checkbox is only available if the **Allow attachments** setting is enabled on the object first. This option is off by default when creating custom objects. With this option disabled, attachment security functions as it did in previous releases.

When you enable this setting, Vault adds the following object actions to the object:

  * _Attachments: Delete_
  * _Attachments: Edit Descriptions_
  * _Attachments: Upload_
  * _Attachments: View and Download_

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Admins can only add and remove these actions using the <strong>Use Action Security to control attachments</strong> checkbox.</p>
    </div>
  </div>
</div>



You can then edit permissions for these actions for applicable permission sets.

| Permission| Access Details |
| --- | --- |
| _Attachments: Delete: View_ | Users can see the _Delete_ action on an attachment but cannot use it. |
| _Attachments: Delete: Execute_ | Users can see and use the _Delete_ action on an attachment. |
| _Attachments: Edit Descriptions: View_ | Users can see the _Edit Description_ icon but cannot use it. |
| _Attachments: Edit Descriptions: Execute_ | Users can see and use the _Edit Descriptions_ icon. |
| _Attachments: Upload: View_ | Users can see the _Upload_ button in the _Attachments_ section and the _Restore_ action on the attachment's version history but cannot use either. |
| _Attachments: Upload: Execute_ | Users can see and use the _Upload_ button in the _Attachments_ section and the _Restore_ action on an attachment. |
| _Attachments: View and Download: View_ | Users can see and interact with the _Attachments_ section and view attachments in the viewer. Users cannot see the _Download_ button. |
| _Attachments: View and Download: Execute_ | Users can see and interact with the _Attachments_ section and view attachments in the viewer. Users can see and use the _Download_ button. |

  * For each attachment action, if a user has neither _View_ nor _Execute_ permission, the associated action, section, or button will not be visible.
  * If a permission set grants _Edit_ or _Delete_ permission on the object, all of the above actions will have _Execute_ permission by default. If the permission set grants only _Read_ permission, the _Attachments: View and Download_ action will have _Execute_ permission by default.
  * Disabling the _Use Action Security to control attachments_ setting removes these object actions from the object and deletes permission set entries that reference these actions. Additionally, attachment security will default to its legacy behavior.
  * For further security, enable _Atomic Security_ on the object to control attachment actions by lifecycle and/or roles.