Document attachments privileges are defined under "SystemUser" role with name "DocumentHandlingEssentials" privilege. I did some sort of similar work in one of the requirements where I have to provide view only document attachment restriction to the auditors role.
Details are provided on my blog : thinkinginax.blogspot.com/.../read-only-docuref-form-for-auditors.html