Simplifying and Securing Attachments in Sage X3

By: | Category: ERP

Files can be attached to any standard Sage X3 object-based function such as Sales Orders, Customers, Invoices, etc. through the Attachments button.

With Sage X3 2022 R4 (12.0.32), Sage introduced some changes to the attachments option which can be enabled optionally. Specifically, the user interface has been simplified to upload files in a single action without having to perform manual tasks. In addition, the storage of attachments has been secured in an administrative storage area rather than an open volume. And lastly, filenames are now controlled in a more consistent manner before uploading attachments.

Although those changes are optional, we strongly recommend you read the following how-to guide and activate these changes to enable secure attachments and improve the overall security of your information system.


These changes can be activated in the General Parameters menu:

  • Go to Setup > General Parameters > Parameter Values
  • Select the SUP chapter
  • Select details for the ATC (Attachments) section
  • Select Yes for parameter value ATTSECUR (Attachment protection)

This will enable the changes outlined above starting the next login. This will apply to any new attachments. Existing attachments will not be changed by the system.


 Reminder: This is enabled only of the ATTSECUR (Attachment protection) parameter value is active.

The attachments window has been simplified as follows:



The attachments list is now simpler, and the user has two options to upload a new attachment to the record:

  • Upload file: This uploads an attachment directly from the user’s local device and lists it immediately in the attachments table with no additional user entry required. The user can either select a file through the browser’s selection window, or drag a file onto the upload section of the screen. When uploaded, the file appears in the attachments list with its filename (Document name), Type (from the extension if present), and a default Category set to Confidential (This can be changed by the user and is informative only).
  • Select file: This opens an additional window where the user can select a file from an existing volume on the server (or to upload a file from the local device onto a volume on the server), as with previous Sage X3 releases.


Reminder: This is enabled only of the ATTSECUR (Attachment protection) parameter value is active.

Secure attachments, when uploaded, are stored in an administrative volume that is accessible only to administrative users and cannot be seen by normal users through the Sage X3 volumes interface. Their filenames are obfuscated and replaced with a generic sequence number.

With this option, the attachment can be retrieved only from the Attachments window on the relevant record, which means access to the attachment is subject to the same functional access rights as the actual record it is attached to.

Users who do not have access to a record will not be able to browse through its attachments in any other way.


With secure attachments, the Keyword interface has been disabled and cannot be accessed manually. The keyword fields, however, are still present in the attachments table and can be used programmatically.

It is important to note that the actual filenames on disk will be changed by the system. The filenames can only be referred to from the attachments table, through the Document name property.


When uploading files, the system will now perform controls to remove unwanted characters and will issue clear error messages when the file’s name cannot be used.

The following characters are not allowed in attachment filenames:

  • You cannot use @, %, and $ in Sage X3 file names (Sage X3 reserved characters)
  • You cannot use /, \, <, >, ?, :, *, , and | in operating system filenames (e.g. Windows)
  • You cannot use *, !, #, and ? in any file name because those are used in regular expressions.

For questions about the changes in Sage X3 2022 R4 regarding attachments, or any other questions about Sage X3, please contact us.