There is a potential auditing issue by utilizing the current user's account for SharePoint document attachment, since they would need to have at least add/delete permissions for the process to work correctly from D365FO, but this also means that they could potentially go to the document library and remove (or edit, depending on permissions levels) documents which de-syncs the document reference in D365FO. So I propose rather than using the current user's account to attach a document to a SharePoint, allow the use of a designated service account (parameters would be in the UI). This would allow more flexibility in control over permissions of the document library.
Comments
My system, works closely to this ideas in dynamics CRM with permission replicator and attach to dynamics plugin.
The main problem is that you lost who really made en action. Quicly you only see "service user" every where in sharepoint.
Category: System administration