Security on attachments

Hello, I'm trying to give a role access to add/edit attachments to operations on routes without giving them full access to the ProdRoute table.  I tried using Extensible Data Securities but can't seem to get that working.  Is anyone able to help me?

This is the form I"m talking about.  The role in question will have the New and Delete buttons greyed out but I want them to be able to click the attachments button on the bottom and add a note.