Maybe I wasnt clear enough.
What I am talking about is that GUI in default supports the option to upload, view and delete Attachments to any entity row. It is accessible through “cog” menu and it is displayed on the place of the left sidebar menu.
Since attachment’s parent row can be handled with row level security rules and filters, this wont apply on Attachments and I didnt find any way how to enforce such rules.
Projects can be updated only by KAM or Project Manager. Regular user can only read (eg. view). But he can still delete or upload any Attachment he desires despite the fact he has read-only access.