Creating Custom Study Roles

For your convenience, several standard Study Roles are available by default. You can see a list of those standard roles here. You can assign these standard roles to users in your study, or you can assign your users custom roles. You can copy the standard Study Roles to use as a template when creating your custom roles as well.

Prerequisites

Contact Veeva Services to enable Role by Study in your vault.

For Query Team Restrictions, a study designer can enable this feature for your study in Studio > Settings.


Users with the Vault Owner security profile, the CDMS Lead Data Manager study role, or the CDMS User Administrator study role are able to perform the actions described above by default.

If you have a custom Study Role, you must have the following permissions:

Type Permission Label Controls
Standard Tab System Tools Tab

Ability to access the Tools > System Tools tab

Functional Permission Manage Study Roles

Ability to create, edit, and delete custom Study Roles from Tools > System Tools > Role Management

If your Study contains restricted data, you must have the Restricted Data Access permission to view it.

Learn more about Study Roles.


Creating a Custom Role

You can create Study Roles from scratch or by copying an existing Study Role. If you create a new Study Role from scratch, there are additional configuration steps you must perform for your new role to become functional.

If your assigned Study Role grants the Manage Study Roles permission, but not the Manage Users permission, you can only create roles that have the same or less permissions than you have in your own role.

Once you create a custom Study Role, a user administrator can assign it to users in your Study immediately. However, it may take up to 4-6 hours before a user with the new role can view data, due to the processing that Vault performs as part of role creation. We recommend that you create custom roles first to allow time for processing to finish before your users begin work.

New Study Role

To create a new Study Role from scratch:

Create the Role

To create a new role:

  1. Navigate to Tools > System Tools > Role Management.
  2. Click + New Role. + New Role button

  3. Enter a Name for your new role. Note that this Name must be unique at the vault level. New Role dialog, with no entries for Name or Copy from Role

  4. Optional: Select a Team for your new role. This is the team this role works on queries within.
  5. If you are creating a custom role from scratch, don’t select a role in Copy from Role.
  6. Click Save. New Role dialog with the Name Verteo Investigator entered

  7. Select the permissions that you want to assign this role in the Standard Tabs, Permissions, User Defined Objects, and, if multi-role security is enabled, User Defined Permissions sections. Selecting the permission assigns the permission. If you don’t select a permission, this role will not have that permission. Custom Role in Edit Mode

  8. Click Save.

Vault creates a custom Security Profile and Permission Set with the appropriate permissions and maps it to your new Study Role. If your vault is using multi-role security, Vault only creates Permission Set. If you want to assign permissions for custom objects and tabs, you can perform that configuration now. See details here.

Copy from Existing Role

To create a new Study Role by copying an existing or standard Study Role:

  1. Navigate to Tools > Role Management.
  2. Click + New Role. + New Role button

  3. Enter a Name for your new role. Note that this Name must be unique at the vault level. New Role dialog, with no entries for Name or Copy from Role

  4. Select a standard Study Role in Copy from Role. Vault copies this Study Role into your custom Study Role. Copy from Role expanded in the New Role dialog

  5. Click Save.
  6. Select the permissions that you want to assign this role in the Standard Tabs, Permissions, User Defined Objects, and, if multi-role security is enabled, User Defined Permissions sections. Selecting the permission assigns the permission. If you don’t select a permission, this role will not have that permission.
  7. Click Save.

Vault creates a custom Security Profile and Permission Set with the appropriate permissions and maps it to your new Study Role. If you want to assign permissions for custom objects and tabs, you can perform that configuration now. See details here.

Editing Custom Roles

You can edit custom Study Roles from Tools > Role Management as needed.

Once a role has been edited, you can publish the updated role to other connected vaults by ensuring that the role has been selected in the User Defined Roles deployment list and deploying the role to the target vault. When you edit a custom Study Role, Vault immediately applies those changes to every user with that role assigned.

To edit a custom Study Role:

  1. Navigate to Tools > System Tools > Role Management.
  2. From your custom role’s Actions menu, select Edit. Edit Role action

  3. Select and deselect permissions as needed.
  4. Click Save.

Rename a Role

You can rename custom Study Roles that are not currently assigned to any users in the vault.

Once a role has been renamed, you can publish the updated role to other connected vaults by ensuring that the role has been selected in the User Defined Roles deployment list and deploying the role to the target vault.

As is the case in the source vault, for the role to be renamed in the target vault, there must not be any users in the target vault that are assigned that role.

To rename a custom Study Role:

  1. Navigate to Tools > System Tools > Role Management.
  2. From your custom role’s Actions menu, select Rename. Rename action for a custom role

  3. In the Rename Role dialog, enter a new Name. Rename Role dialog

  4. Click Save.

Change Teams

To change the Team assigned to a role:

  1. Navigate to Tools > System Tools > Role Management.
  2. From your custom role’s Actions menu, select Rename. Rename action for a custom role

  3. In the Rename Role dialog, select a new Team. Select a new Team in the Rename Role dialog

  4. Click Save.

Deleting a Role

In some cases, if your organization is no longer using a custom Study Role and no users are currently assigned that role, you can delete it. For vaults created after the 21R2 release, which have the multi-role security feature, custom roles cannot be deleted if they have been deployed. For vaults created before the 21R2 release, which do not have the multi-role security feature, custom roles can be deleted in DEV vaults but the deletion does not take effect in other vaults.

To delete a custom Study Role:

  1. Navigate to Tools > System Tools > Role Management.
  2. From the custom role’s Actions menu, select Delete. Delete action

  3. In the Delete Role confirmation dialog, click Delete. Vault deletes your custom Study Role. Delete Role dialog

Teams

Vault CDMS includes Teams. If your Study uses the Team Query Restrictions feature, these teams control the ability to close queries created within a team. If a query is created by one team, for example, the Clinical team, then only members of that team can close the query. In this example, a member of the Data Management team would be able to comment on the query, but that user wouldn’t be able to close it.

You assign custom roles to a team during role creation or by renaming the role. Note that a role may only belong to one team.

Team Standard Roles
Administration
  • CDMS Deployment Administrator
  • CDMS User Administrator
  • CDMS Randomization Manager
  • CDMS Safety Administrator
  • CDMS Super User
Clinical
  • CDMS Clinical Research Associate
Coding
  • CDMS Clinical Coder
  • CDMS Clinical Coder Administrator
  • CDMS Clinical Coder Manager
Data Management
  • CDMS Data Manager
  • CDMS Lead Data Manager
  • CDMS Medical Assessment Editor
  • CDMS Medical Assessment Reader
  • CDMS Labs Data Manager
  • CDMS Data Loader
Other
  • CDMS Study Designer
  • CDMS Study Designer Read Only
  • CDMS Librarian
  • CDMS Auditor Read Only
  • CDMS API Read Only
  • CDMS API Read Write
  • CDB API Read Write
Site
  • CDMS Principal Investigator
  • CDMS Sub Investigator
  • CDMS Clinical Research Coordinator

Available Permissions

The functional permissions listed in Role Management represent a combination of Application Role and Security Profile based permissions. In Tools > Role Management, each row represents either a functional permission or the ability to access a standard tab (such as Data Entry or Coder) in Vault CDMS. A selected (checked) permission indicates that a role has this permission.

Refer to this table for information about permissions and what standard Study Roles have these assigned.

Which permissions display in the User Defined Objects and User Defined Permission Sets sections depend on your vault’s configuration.

The tables below list each functional permission and a description of what it controls.

Standard Tabs

You can control access to the following standard tabs from the Standard Tabs section of the role table:

Field Controls
Assessments Tab

Ability to access the Assessments tab

Coder Tab

Ability to access the Coder tab

Coder Tools Tab

Ability to access the Coder Tools tab

Data Entry Tab

Ability to access the Data Entry tab

Data Loader Tab

Ability to access the Data Loader tab

EDC Tools Tab

Ability to access the EDC Tools tab

Labs Tab

Ability to access the Labs tab

Library Tab

Ability to access the Library tab

Protocol Deviations Tab

Ability to access the Protocol Deviations tab

Randomization Tab

Ability to access the Randomization tab

Reports Dashboards Tab

Ability to access the Reports and Dashboards tabs

Review Tab

Ability to access the Review tab

Studio Tab

Ability to access the Studio tab

Study Grade Tab

Ability to access the Study Grade tab

System Tools Tab

Ability to access the Tools > System Tools tab

Safety Integrations Tab

Ability to access the Tools > Safety Integrations tab

Permissions

After standard tabs, permissions are grouped into functional areas. You can collapse and expand these sections.

Field Controls
Clinical Reporting Tab

Ability to access EDC Clinical Reporting via the Clinical Reporting tab. Note that EDC Clinical Reporting is only available in production environments.

Workbench Tab

Ability to access and use the Data Workbench application, via the Workbench tab

View SDV

Ability to view SDV status

Edit SDV

Ability to perform SDV

View Query

Ability to view queries

Close Query

Ability to close queries

Close All Queries

Ability to close all queries, regardless of which query team created the query

Open Query

Ability to create new (open) queries and comment on queries without moving them into the Answered status

Answer Query

Ability to answer queries, moving them into the Answered status. This permission doesn’t provide the ability to open queries.

View DMR

Ability to view DMR status

Edit DMR

Ability to perform DMR

Sign

Ability to provide an electronic signature on study data

Run Rules

Ability to run rules from EDC Tools > Rules

View Import History

Ability to access the Import History subtab within the Data Loader tab

Load Data

Ability to access the Import subtab within the Data Loader tab. Ability to edit the fields on the Import page and to run the Preview and Import jobs

Manage Coding Lists

Ability to create, edit, import, and export Synonym Lists and Do Not Autocode Lists in Coder Tools

Data Entry

Ability to enter study execution data

Freeze Data

Ability to freeze and unfreeze data

Lock Data

Ability to lock and unlock data

Generate Detail PDF

Ability to export detail PDFs

Generate Blank PDF

Ability to export blank PDFs

Manage Study Milestones

Ability to lock and unlock Studies and Sites, as well as set the Billing Status for study environments from EDC Tools

Manage Study Priority

Ability to mark a study as a priority or remove priority from a study

View Classification

Ability to view Classifications in a library collection

Edit Classification

Ability to create and edit Classifications and their Values in a library collection

Edit Study Settings

Ability to edit the Study Settings available in EDC Tools

Configure Queries

This permission was added to support features in a future release.

Manage Jobs

Ability to create, edit, and delete scheduled jobs

Manage Amendments

Ability to initiate subject transfers and retrospective amendments from EDC Tools

Manage FTP

Ability to create and edit FTP Connections in EDC Tools

Manage Study Countries

Ability to create and edit Study Countries in EDC Tools

View Study Sites

Ability to view Sites in EDC Tools

Edit Study Sites

Ability to create and edit Sites from EDC Tools

Manage Coder Study Settings

Ability to edit Study Settings in Coder Tools

Add Casebook

Ability to add new Casebooks

Delete Casebook

Ability to delete subject Casebooks with or without data and related object records

View Clinical Assessments

Ability to view completed Assessments

Edit Clinical Assessments

Ability to perform (edit) Assessments

Manage Assessments

Ability to assign Study Roles to Assessment Definitions from EDC Tools > Assessments

Manage Review Plan Assignment

Ability to access EDC Tools > Review Plan Assignments and update the study- and site-level templates

Manage Review Plan Assignment Criteria

Ability to access EDC Tools > Review Plan Assignment Criteria and update study- and site-level templates for assignment

Manage Review Plan Manual Assignment

Ability to access EDC Tools > Review Plan Manual Assignment and manually assign Review Plans

Manage Learning

Ability to assign learning system Curriculums to Study Roles from EDC Tools

View Safety Cases

Ability to view Safety Case banners

Manage Safety Configuration

Ability to set up the Safety Clinical Data Link for a Study and map Items to their E2B elements

View Safety Integrations

Ability to view the safety configurations available for a Study in Tools > Safety Integrations in read-only mode

Manage Safety Integrations

Ability to modify the safety configurations available for a Study in Tools > Safety Integrations

View Casebook

Ability to view information about and from subject Casebooks (for reports, dashboards, and CDBs)

View Protocol Deviations

Ability to view Protocol Deviations

Create Protocol Deviations

Ability to create Protocol Deviations

Design Study

Ability to create study design definitions and a study schedule from Studio

View Study Grade

Ability to view Study Grade records

View Library

Ability to view library Collections and their designs from Studio > Library

Design Library

Ability to create study design definitions and a study schedule for a Collection from Studio > Library

Manage Data and Definition Export

Ability to schedule the Data and Definition Export job

Schedule Reports

Ability to create and schedule flash reports

View Form Linking

Ability to view Form Links

Edit Form Linking

Ability to edit Form Links

View Study Design

View-only access to Study Design

Manage Email Group Assignment

Ability to assign users to an Email Group from EDC Tools > Email Group Assignment

Manage Study Roles

Ability to create, edit, and delete custom Study Roles from Tools > System Tools > Role Management

View Users

Ability to view Users and their access

Edit Users

Ability to create and edit Users and their access

Vault Configuration Report

Ability to generate a Vault Configuration Report

Restricted Data Access

Ability to view restricted (blinded) Forms and Studies that contain restricted data

Manage Deployments

Ability to create and manage study Environments and deploy Studies from EDC Tools, manage and deploy vault-level configuration from Tools > System Tools, and manage and deploy listings, checks, and views in CDB

View Lab Locations and Normals

Ability to view all Lab Locations and Normals

Edit Lab Locations and Normals

Ability to edit all Lab Locations and Normals. This permission can also see all Studies that are impacted, though they don’t have access to Clinical Data

Manage Site Lab Assignment

Ability to associate Sites with Lab locations

Manage Lab Units and Codelist

Ability to update Lab units and codelists

Manage Lab Study Settings

Ability to configure Study Settings in Labs

Lab Mass Updates

Ability to view and run mass update jobs

View All Lab Settings

Ability to view all Lab configuration

View Lab Analyte Library

Ability to view Analytes in the Analyte Library

Edit Lab Analyte Library

Ability to edit and update Analytes in the Analyte Library

API Access

Ability to access and use the Vault CDMS API. (This permission is also required to use CDB.)

Approve Lab Normals

Ability to approve Lab normals and add/merge Lab locations

View Integration Mappings

Ability to view Integration Mappings from EDC Tools > Integration Configuration

Edit Integration Mappings

Ability to edit Integration Mappings from EDC Tools > Integration Configuration

Edit Protocol Deviations

Ability to edit Protocol Deviations

View Snapshots

Ability to view Snapshots.

Manage Snapshots

Ability to create, edit, and overall manage Snapshots.

Accept Closeout PDF

Ability to accept or reject Closeout PDFs

Generate Closeout PDF

Ability to generate the Closeout PDFs for a locked Site from EDC Tools > Sites

Notify Sites of Closeout PDF

Ability to set reminders and send a notification to a Site that the Closeout PDFs are ready for review

Review Closeout PDF

Ability to download the Closeout PDFs for a Site

Randomize Subject

Ability for a Site to Randomize a Subject

Emergency Unmasking

Ability for a Site to use Emergency Unmasking during adverse events to view treatment. Login credentials are required. Emergency unmasking will be logged in an unblinding report and notification emails (if configured) will go out. Note that this is only applicable to grandfathered studies.

Configure Randomization

Access to the Randomization tab to configure Randomization settings

Manage Randomization List

Ability to upload a Randomization List

View Randomization Enrollment

Ability to see a list of all Sites/Subjects as they are randomized

View Unmasked Data

Ability to see all unmasked Site/Subject data in the Randomization tab

View Randomization Kit/Device

Ability to view list to see what device/kit has been used and what’s available in the Randomization tab.

Reveal Treatment

Ability for a Site to see what treatment has been given to a subject. Login credentials are required. Not considered an emergency unmasking. Must have view data entry access. Note that this is only applicable for grandfathered studies.

Invalidate Randomization

Ability to invalidate the Randomization record in the Randomization tab

Copy Study Data to PPT

Ability to copy study data to PPT environment

View Code

Ability to view coding progress

Assign Code

Ability to assign codes in Coder

Approve Code

Ability to approve or reject assigned codes in Coder

Answer 3rd Party Queries

Ability to answer queries on third party data items in Workbench

Edit CQL

Ability to edit the CQL statement for a listing in the CQL Editor

Modify Listing

Ability to edit the CQL statement and properties of private listings (includes public listings, export listings, and check listings when combined with the Public Access permission)

Create Listing

Ability to create private listings (includes public listings, export listings, and check listings when combined with the Public Access permission)

Delete Listing

Ability to delete a public listing or check

Generate CSV

Ability to generate a CSV for a listing, view, or check

Public Access

Ability to create or modify a public listing, when combined with the Create Listing and Modify Listing permissions

View Selected Listings

Ability to view selected listings (selected in Workbench > Admin > Users) in CDB

Manage Sources

Abiltiy to view and manage Sources from the import of third party data in CDB

Manage Unblinding Rules

Abiltiy to create and manage Unblinding Rules for the conditional unblinding of data in CDB

View All Listings

Ability to view all listings

View Selected CDB Query Listings

Ability to view selected query listings (selected in Workbench > Admin > Users) in CDB

View All CDB Query Listings

Ability to view all query listings

View Export

Ability to access the Export page

Create Export Definition

Ability to create and copy Export Definitions

Generate Export Package

Ability to generate a CSV or SAS export package

Delete Export Definition

Ability to delete an Export Definition

View Export Packages

Ability to access Export > Packages to view generated export packages

View Import

Ability to access the Import page

Download Import Package

Ability to download import packages

Approve Import

Ability to approve or reject an import package that contains configuration changes

View Admin

Ability to access the Admin page

Manage Key Mappings

Ability to create and manage key mappings for import

Browse View

Ability to access the Views tab within Workbench and browse Views. Ability to save a View as a Check

Create View

Ability to create new Views in Workbench

Modify View

Ability to edit (modify) existing Views in Workbench

Delete View

Ability to delete Views in Workbench

CDB Tools

Ability to access the CDB Tools area of Workbench

Configure CDB

Ability to configure settings for Core Listings in Workbench

Migrate Reviews

This permission was added in support of a feature in a future release.

Set Reviews

This permission was added in support of a feature in a future release.

Delete Data Sources

This permission was added in support of a feature in a future release.

Dependent Permissions

Some permissions are dependent on or included with other permissions. If you have access to a controlling permission, you automatically have access to the dependent permissions listed. You can’t remove a dependent permission without removing the controlling permission. Refer to the table below for a comprehensive list of controlling and dependent permissions.

When a permission is dependent and disabled, you can hover over its checkbox to view the controlling permission.

Controlling Permission Dependencies
Answer Query
  • View Query
API Access
  • View Casebook
  • View Form Linking
Approve Code
  • View Code
Assign Code
  • View Code
Close All Queries
  • View Query
Close Queries
  • View Query
Configure Randomization
  • View Study Design
Create Protocol Deviations
  • View Casebook
  • View Form Linking
  • View Protocol Deviations
Data Entry
  • View Casebook
  • View Form Linking
  • Edit Form Linking
Delete View
  • Browse View
Design Library
  • View Library
Design Study
  • View Study Design
Edit Classification
  • View Classification
Edit DMR
  • View DMR
Edit Form Linking
  • View Form Linking
Edit Integration Mappings
  • View Integration Mappings
Edit Lab Analyte Library
  • View Lab Analyte Library
Edit Lab Locations and Normals
  • View Lab Locations and Normals
Edit Medical Assessments
  • View Medical Assessments
Edit Protocol Deviations
  • View Casebook
  • View Form Linking
  • View Protocol Deviations
Edit SDV
  • View SDV
Edit Users
  • Assessments Tab
  • Coder Tab
  • Coder Tools Tab
  • Data Entry Tab
  • Data Loader Tab
  • EDC Tools Tab
  • Labs Tab
  • Library Tab
  • Protocol Deviations Tab
  • Randomization Tab
  • Reports Dashboard Tab
  • Review Tab
  • Studio Tab
  • System Tools Tab
  • Study Grade Tab
  • Safety Integrations Tab
  • View Users
  • Workbench Tab
Emergency Unmasking
  • View Casebook
  • View Form Linking
Invalidate Randomization
  • View Randomization Enrollment
Load Data
  • Data Entry Tab
  • View Casebook
  • View Form Linking
  • Edit Form Linking
Manage Amendments
  • Restricted Data Access
Manage Data and Definition Export
  • EDC Tools Tab
Manage Randomization List
  • View Study Design
Manage Safety Integrations
  • View Safety Integrations
  • Manage Jobs
Manage Study Deployments
  • Restricted Data Access
Manage Study Sites
  • Manage Study Countries
  • View Study Sites
Modify View
  • Browse View
Open Query
  • View Query
Randomization
  • Data Entry
  • Edit Form Linking
  • View Casebook
  • View Form Linking
Randomize Subject
  • Data Entry
  • Edit Form Linking
  • View Casebook
  • View Form Linking
Reveal Treatment
  • View Casebook
  • View Form Linking
Vault Configuration Report
  • System Tools Tab
View Casebook
  • View Form Linking
View Protocol Deviations
  • View Casebook
  • View Form Linking
View Randomization Enrollment
  • View Casebook
  • View Form Linking
View Selected CDB Query Listings
  • View All CDB Query Listings
View Selected Listings
  • View All Listings
View Unmasked Data
  • View Casebook
  • View Form Linking

Load Data & Dependent Permissions: The Load Data permission has dependent permissions that are required for the data loader to load study data into EDC. While these are all of the permissions required for data entry, this permission does not assign the Data Entry Tab permission. This means that users with the CDMS Data Loader permission or the Load Data permission are unable to access the Data Entry tab to enter data as a site user. If that is required, those users must have a custom role that grants both permissions. Users with this permission may also enter data via the CDMS API if their role grants the API Access permission.

Permission Sets to Handle User Defined Objects & Tabs 21R2 & Later

If your organization is using Multi-Role Security, you can use a User Defined Permission Set to control access to user defined objects and tabs. This creates a single permission row in the Role Management table, where you can assign all permission granted in the set to a custom Study Role.

Create a User Defined Permission Set

To create a new User Defined Permission Set:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Click New Permission Set. New Permission Set button

  3. Enter a Name for the Permission Set. New Permission Set dialog

  4. Click Save.
  5. Click the Name of your new Permission Set to open it.
  6. Click Manage Tabs.
  7. In the Manage Tabs dialog, use the shuttle menu to move the needed tabs from Available Tabs to Selected Tabs.
  8. Optional: To remove a Tab:
    1. Hover over the Tab row to show the Remove () button.
    2. Click Remove ().
    3. In the Remove Tab confirmation dialog, click Remove.
  9. Click Objects. Objects subtab

  10. Click Manage Objects.
  11. In the Manage Objects dialog, use the shuttle menu to move the needed objects from Available Objects to Selected Objects.
  12. Click Edit Objects.
  13. Select the checkboxes for Create, Read, Update, and Delete to assign those permissions.
  14. Click the Binoculars () to view a list of object fields.
  15. Select the Object Field Permissions checkbox to set Read and Update permissions at the field level:
    1. In the Object Field Permissions dialog, click Edit.
    2. Select the Read and Update checkboxes on each field that you want to give the permission to read or update.
    3. When finished, click Save.
    4. After you’ve assigned field permissions, Vault displays a checkmark in the Object Field Permissions column. Click the Checkmark () to view field permissions.

Once you finish assigning tab and object permissions to a User Defined Permission Set, you can assign it to Study Roles in the User Defined Permission Sets section of the Role Management table.

Edit the Assigned Permissions

To edit the permissions assigned to a User Defined Permission Set, follow steps 5-15 of the [Create a User Defined Permission Set](#create-a-user-defined-permission-set] instructions above.

Sync a User Defined Permission Set

If you make changes to a User Defined Permission Set that is already assigned to a Study Role, you must use the Sync action to update the User Defined Permission Set on the Study Roles.

To sync a single permission set:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Locate the User Defined Permission Set you want to sync in the list.
  3. Hover over its Name to show the Actions menu.
  4. From the Actions menu, select Sync.
  5. In the Sync confirmation dialog, click Sync.

To sync multiple permission sets in one action:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Select the User Defined Permission Sets you want to sync in the list.
  3. Click Sync. Sync button

  4. In the Sync confirmation dialog, click Sync.

Rename a User Defined Permission Set

To rename a User Defined Permission Set:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Locate the User Defined Permission Set you want to edit in the list.
  3. Hover over its Name to show the Actions menu.
  4. From the Actions menu, select Edit. Edit action

  5. In the Edit Permission Set dialog, enter a new Name.
  6. Click Save.

Delete a User Defined Permission Set

You can delete a User Defined Permission Set as long as it isn’t assigned to any Study Roles.

To delete a User Defined Permission Set:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Locate the User Defined Permission Set you want to delete in the list.
  3. Hover over its Name to show the Actions menu.
  4. From the Actions menu, select Delete. Delete action

  5. In the Delete Permission Set confirmation dialog, click Delete.

User Defined Object Permissions

Role Management supports setting Read, Edit, and Delete permission on user-defined (custom) Vault objects for custom Study Roles. (Note that Create permission must be provided as part of a Security Profile.)

If your organization is using the Multi-Role Security model (new in 21R1, August 2021), then you can manage both object permissions and tab access for the custom object, including Create permission, from System Tools > User Defined Permission Sets. Then you can assign the entire User Defined Permission Set to a Study Role. Contact your Veeva Services representative to discuss upgrading to the new model.

To manage access to a user-defined object through Role Management, the object must meet all of these conditions:

  • The object must be a custom object “__c” namespace.
  • The object must have an object reference field to the Study (study__v) object.
  • The object must have a Deployment List record.
  • The object must have an object lifecycle.
  • The object must have Matching Sharing Rules enabled.

If your object meets these four conditions, Vault automatically includes it in the permissions table, in the User Defined Objects section.

Each object includes three rows for the Read, Edit, and Delete permissions. When you create or edit a custom Study Role, you can select these permissions in the same way as standard permissions. Note that these permissions are dependent. If you assign Edit, Vault automatically assigns Read. If you assign Delete, Vault automatically assigns Read and Edit.

Providing a user with one of these permissions on an object does not provide them access to view the custom tab exposing that object. You must provide that access via the role’s Security Profile or, for multi-role security vaults, with a User Defined Permission Set.

Object Action Security: If your vault utilizes custom (user defined) objects, ensure that Object Action Security is not configured on your custom objects. Vault CDMS does not support Object Action permissions or security.

Use Cases Requiring Configuration with Role by Study 21R1 & Earlier

The sections below detail use cases that require additional configuration by a Vault Owner to work with the Role by Study security model. These configurations aren’t required for organizations using Multi-Role Security (introduced in 21R2, August 2021). Contact your Veeva Services representative to discuss enabling Multi-Role Security in your vault.

Users must have the Vault Owner security profile, or a custom permission set granting access to create and edit Security Profiles and Users from Admin > Users & Groups, to perform the actions described below.

Multiple Roles in a Vault

If a user in your Vault has multiple Study Roles assigned in different Studies, you may need to create a custom Security Profile and map it to the custom Study Role to ensure that they have the permissions they need.

For example, if Amir is a lead data manager for the Deetoza study, but he also acts as an auditor for the Veeofen study, he will need a custom security profile to ensure that he has the appropriate access in both Studies.

When you create a custom Study Role, Vault automatically creates a Permission Set that contains all of the access and permissions specified in Tools > Role Management. You can assign the Permission Set from each role to the custom Security Profile for this user.

  1. From Admin > Users & Groups > Security Profiles, create a new Security Profile and assign the Permission Sets for both custom roles to the Security Profile.
  2. From Admin > Users & Groups > Users, assign the new custom Security Profile to your user.
  3. From Tools > EDC Tools, add the user to both Studies, assigning the chosen custom Study Roles.

Study Roles for Custom Tabs

If you create custom tabs in your vault, you must perform additional security configuration to manage access using Study Roles.

  • Create a Permission Set (or more than one) that assigns access to those objects and tabs.
  • Either add that Permission Set to the existing Security Profile for your custom role (this profile has the same name as your custom Study Role) or create a Security Profile that has that Permission Set assigned, as well as any other Permission Set that a user would require to use Vault with that profile.
  • If you created a custom Security Profile update the Application Role Security Profile Rel mapping record for your custom Study Role to reference the custom Security Profile.

Mapping a Security Profile to a Custom Study Role

Vault uses the Application Role Security Profile Rel object to connect Study Roles (Application Roles) and Security Profiles. If you created a custom Security Profile for a Study Role to provide access to custom configurations, instead of updating the existing Security Profile for your Study Role, you must map the new Security Profile to the Study Role by updating the Application Role Security Profile Rels record for your role.

To update an Application Role Security Profile Rel record:

  1. Navigate to Admin > Business Admin > Security Profiles.
  2. Locate your custom Security Profile in the object record list.
  3. Copy or make a note of the Profile Name field value.
  4. Navigate to Admin > Business Admin > Application Role Security Profile Rels.
  5. Locate the record for your custom Study Role in the object record list.
  6. Click to open that record.
  7. Click Edit.
  8. In the Security Profile field, remove the existing value.
  9. Paste or enter the copied Profile Name into the Security Profile field.
  10. Click Save.