The Documents & Contracts module doesn’t have its own permission settings; it’s tied to the Payments module. But that’s not even the biggest issue.

Even when a user is limited to “Only assigned data” they can still view and edit all documents and contracts for all contacts — as long as they have access to Payments. The “Only assigned data” restriction is completely ignored.

The only current workaround is to remove Payments access entirely — which is far from ideal if users still need to handle invoices or transactions.

This is a serious permissions flaw that needs attention.