How to allow access to list item file attachments that was not created by the user with special constraints

Question

I am struggling for some time with this problem and can't decide how to handle it.

We have a sharepoint list with 3 groups of users:

1. SOHO Account Managers
2. SMB Account Managers
3. ENT Account Managers

All users in all of the groups is aloud to see only the list items that was created by their AD username.

Now we have a request with a constraints that each user will be allowed to view all the list items that was created by his group (list items of other groups must be unauthorized).
I have searched a lot and did not found any solution or configuration that will serve our needs.

To meet these requirements we came out with a plan. The plan is to develop ASP.NET web application that will have its own authorization mechanism and a GUI to search list items by ID or title.
with the help of sharepoint REST web service (using Microsoft.SharePoint.Client namespace) the application will get the data from the list items and show it to the end users.

Everything until here is nice and easy...
the problem we have is the files that attached to each list item, the access to the files server path is based on the user permission level, hence the server url path for each file is blocked due to the security restriction I have described (user can see only his own list items).

Is using the application server (of the new application described before) credentials is the only way? Obviously we can come with a solution like downloading the files (using the server credentials) to some network directory or to the server itself and from their send them somehow to the client machine. but as long as I think more about this solution it`s seems to me more and more clumsy and crooked.

I am not so familiar with sharepoint websites, maybe there is a less complicated solution?
How to allow access to list item file attachments that was not created by the user who need`s to view or download them based on the constraints I have described?

What would you do if you had such a request? any suggestion or enlightenment is most welcomed.

Answer 1

An alternative approach is to create a people and group column that holds the group name and filter the list view based on that column, instead of item permissions.

Create a column of type people and group. Say that user will enter the one of the three AD/SharePoint groups in that column. Use SharePoint designer to update the view to add a condition to the view similar to below.

<Membership Type="CurrentUserGroups"><FieldRef Name="NameOfYourColumn"/></Membership>

This should allow user to see all items if the user is a member of the group specified in the new people and group column.

If you are using a custom application to display the items you can use a similar technique to update you CAML to include above element as part of your query. A similar question has been answered here.