Study Access Control in Vault CDMS

Vault CDMS leverages the Vault Platform to control user access. In addition to configuring account-level access, User Administrators can manage user access at the Study level.

Granting Access

To control user access, you must have the Vault Owner (no Study Role required) or the CDMS User Administrator study role. With these, you have the ability to create User accounts and assign Study Roles from Tools > System Tools > Users.

Multi-Role Security

21R2 & Later

Multi-role security is a new feature in 21R2 that allows users to be assigned multiple Study Roles in a single Study and vault, without a custom security profile or multiple accounts.

When using multi-role security, all users have the same Security Profile, CDMS All Access. Then, user administrators can create User Defined Permission Sets to control access to user-defined (custom) objects and tabs. They can assign these permission sets to user-defined (custom) Study Roles to grant that role the access granted by the Permission Set.

Enablement: Contact your Veeva Services Representative to enable the Multi-Role Security feature in your vault.

Lead data managers and user administrators can create and manage custom Study Roles and User Defined Permission Sets from Tools > System Tools > Role Management.

User Defined Permission Sets

The ability to edit object records is controlled first at the object level, by a user’s Security Profile, and then, if configured, by dynamic access control at the object record level. Object field-level security provides another layer of control, allowing an organization to dictate which users can view or edit specific fields on an object.

When editing a permission set, you can grant the following permissions:

  • Read: Allows a user to view the field label and value. Without this permission, the user can’t see or use the field in any way, including filtering and grouping. The user may occasionally see the field Name, for example, when trying to perform an action that uses a hidden field, but they will never see the field’s value.
  • Edit: Allows a user to edit the field value.

You can also manage field-level security for a specific object from the Permission Set.

Object Action Security: If your vault utilizes custom (user defined) objects, ensure that Object Action Security is not configured on your custom objects. Vault CDMS does not support Object Action permissions or security.

Example Use Case

Your organization has a staff member, Peggy Norris, who is a lead data manager for the Veepharm study. You can assign her the CDMS Lead Data Manager study role for Veepharm. However, Peggy requested that she also be assigned the CDMS Clinical Research Associate role, so that she can preview the Study as it is displayed to CRAs in the Review tab. With multi-role security, you can assign her both the CDMS Lead Data Manager and CDMS Clinical Research Associate study roles in the Veepharm study. Peggy will then be able to perform all of her data management tasks, as well as preview the CRA view in the Review tab.

Role by Study Security

21R1 & Earlier

Vault CDMS offers a security model allowing users to have different roles in different studies. This model leverages the Application Role object to define user access at the object level (in this case, the Study object), instead of at the account level. Your Application Role extends your permissions granted by your Security Profile. Together, these make up your Study Role.

Lead data managers and user administrators can create and manage custom Study Roles from Tools > System Tools > Role Management.

To see a list of standard Study Roles and their permissions available with the CDMS Role by Study feature, see Managing CDMS Application Roles. See Standard CDMS Security Profiles for a list of standard Security Profiles and Permissions Sets.