The attachment authorization control could be implemented with the help of authorization scope.

When you create an attachment via the Attachment button provided in attachment assignment block, you could also assign a given authorization scope for it.

Once the scope is maintained and the attachment is saved, it could never be changed any more.

The possible values of authorization scope could be maintained via customizing SPRO->Customer Relationship Management->Transactions->Basic settings->Define Authorization scope for Attachments.

For authorization domain, you should use exactly the same spelling as "ATTACHMENT", as is defined in constant CL_CRM_SFW_ITSM_SWITCH_CHECK=>gc_auth_domain. And just use SAP predefined class CL_CRM_AUTH_SCOPE_STATIC_CHK.

Then you can maintain the authorization scope values:

In the runtime, the authorization domain "ATTACHMENT" together with the authorization scope of current attachment will be evaluated by the view controller of attachment assignment block view: if authorization check fails for current user, the attachment being evaluated will not appear in the attachment assignment block.

The authorization check is done via check against authorization object CRM_AUTHSC:

if you need to view what authorization is granted to your user, you can execute report RSUSR070, specify Authorization Object as CRM_AUTHSC:

The report result shows that authorization is included in four roles, double click one of them:

click "Authorizations" tab and click display button:

Use search function:

The result indicates that my user in our dev system has authorization to create, display, change and delete on attachments belonging to any authorization domain & scope.