Just discovered a security flaw of the file cabinet and files, when a folder is set to private no files from that folder should be visible to any other users beside Administrator. ACL does works when any user tries to preview the file from the associated transactions or records - preview denied. Now if the user's role have full access to "documents and files" then if they copy the direct URL of the file they can access it without any issue. Logically they should not be able to do so, folder's ACL should have prevented them to view the file via direct URL(note - none of access related check boxes are checked in the file's record) - only way this can be viewed if "available without login" box is checked, but it is not. Obviously ACL is screwed here, I can already can think of ways to exploit this 😬. This issue doesnt effect my users or the company since we use Veeva Vault for storing sensitive documents but for others it can be a big issue. I have already opened a ticket with NS just to let them know about the vulnerability- they have opened an internal defect. Defect #- 411854