Historically when secured attachments were not utilized, your web server (IBM HTTP Server or IIS) would serve the attachment files. URLs would be static (mydomain.com/doclinks/attachments/filename.jpg for example) which meant you could determine what the URL would be with only information in the DOCINFO table. This meant people could access attachments they couldn't access in Maximo. They only needed to know or be able to guess the filename.
The secured attachment servlet generates a code for each file that is only valid for that session. If you log into Chrome & Firefox for example, or log out of Chrome and log back in, you will see different parameters for the same file even as the same user. External reporting I don't think would be able to determine this, though I will admit I have never actually tried to look at how this works exactly.
External reporting can utilize the REST API feature for retrieving the attachment(s). You would need to authenticate the API request (and have an account with authorization to the record in question), but you can build the request to get the attachment in a consistent manner. This also would help if you needed certain functionality like generating a thumbnail of an image rather than retrieving the full file.
If you need your external reporting system to be able to access any file without providing it access to the various object structures, you'd need to build your own automation script REST API script (IBM Maximo Autoscripting Guide – Invoking script through Automation Script Handler) that you could pass in some parameters (such as the doclinksid) to retrieve the attachment. I would add some handling (either through signature options or code in the script) to restrict this to only your external reporting solution because otherwise you have the same problem as the legacy insecure attachments. Anyone who can guess the URL could access any file, even if they didn't have access to the original file.
------------------------------
Steven Shull
Naviam
------------------------------
Original Message:
Sent: 03-09-2026 18:44
From: sun kim
Subject: #TipTuesday – Opening MAS Attachments
I guess the next question is for external reporting integration, is the secure attachment link recorded in the database somewhere to retrieve the correct URL to render the inline image? Its probably against ToS to reverse engineer how the secure attachment URL is generated so we could feed that URL into our reporting tool (to render images as thumbnail previews?).
------------------------------
sun kim
Original Message:
Sent: 03-09-2026 14:04
From: Steven Shull
Subject: #TipTuesday – Opening MAS Attachments
That's a really good question. Maximo was not setting the content-type on the response which led to everything being a download. With the property enabled, the content-type is returned to the browser so it can determine whether it can render the attachment. If it's a data type that it cannot render (such as a zip) it will continue to download like before.
------------------------------
Steven Shull
Naviam
Original Message:
Sent: 03-09-2026 12:02
From: sun kim
Subject: #TipTuesday – Opening MAS Attachments
How do file types that can't be viewed inline work? Will they then default to the browser's default (e.g. download as attachment)? For example, if we set the browser to be able to view PDFs and images, but Word docs are downloaded, would setting it to inline let the client browser dictate the behavior based on the file type the browser supports inline and download the rest that are not supported?
------------------------------
sun kim
Original Message:
Sent: 02-03-2026 15:10
From: Allan Henle
Subject: #TipTuesday – Opening MAS Attachments
With the switch in MAS requiring systems to move to S3 Buckets or COS for attached documents, it requires secured attachments. This has typically required users to download attachments in the browser, and then open them from there. This can be a pain, and an extra click. With a new system property mxe.doclink.attachmentOpenMethod, this can be changed.
The options for this system property are 'inline' and 'attachment'. Inline will have the file open in your browser, attachment will have you download the file as you have before.
Happy #TipTuesday
#Administration
#EndUser
#MaximoApplicationSuite
------------------------------
Allan Henle
Naviam
------------------------------