Creating Custom Study Roles

For your convenience, several standard Study Roles are available by default. You can see a list of those standard roles here. You can assign these standard roles to users in your study, or you can assign your users custom roles. You can copy the standard Study Roles to use as a template when creating your custom roles as well.

Prerequisites

Contact Veeva Services to enable Role by Study in your vault.

For Query Team Restrictions, a study designer can enable this feature for your study in Studio > Settings.


Users with the Vault Owner security profile, the CDMS Lead Data Manager study role, or the CDMS User Administrator study role are able to perform the actions described above by default.

If you have a custom Study Role, you must have the following permissions:

Type Permission Label Controls
Standard Tab System Tools Tab

Ability to access the Tools > System Tools tab

Functional Permission Manage Study Roles

Ability to create, edit, and delete custom Study Roles from Tools > System Tools > Role Management

If your Study contains restricted data, you must have the Restricted Data Access permission to view it.

Learn more about Study Roles.


Creating a Custom Role

You can create Study Roles from scratch or by copying an existing Study Role. If you create a new Study Role from scratch, there are additional configuration steps you must perform for your new role to become functional.

Once you create a custom Study Role, a user administrator can assign it to users in your Study immediately. However, it may take up to 4-6 hours before a user with the new role can view data, due to the processing that Vault performs as part of role creation. We recommend that you create custom roles first to allow time for processing to finish before your users begin work.

New Study Role

To create a new Study Role from scratch:

Create the Role

To create a new role:

  1. Navigate to Tools > System Tools > Role Management.
  2. Click + New Role. + New Role button

  3. Enter a Name for your new role. Note that this Name must be unique at the vault level. New Role dialog, with no entries for Name or Copy from Role

  4. Optional: Select a Team for your new role. This is the team this role works on queries within.
  5. If you are creating a custom role from scratch, don’t select a role in Copy from Role.
  6. Click Save. New Role dialog with the Name Verteo Investigator entered

  7. Select the permissions that you want to assign this role in the Standard Tabs, Permissions, User Defined Objects, and, if multi-role security is enabled, User Defined Permissions sections. Selecting the permission assigns the permission. If you don’t select a permission, this role will not have that permission. Custom Role in Edit Mode

  8. Click Save.

Vault creates a custom Security Profile and Permission Set with the appropriate permissions and maps it to your new Study Role. If you want to assign permissions for custom objects and tabs, you can perform that configuration now. See details here.

Copy from Existing Role

To create a new Study Role by copying an existing or standard Study Role:

  1. Navigate to Tools > Role Management.
  2. Click + New Role. + New Role button

  3. Enter a Name for your new role. Note that this Name must be unique at the vault level. New Role dialog, with no entries for Name or Copy from Role

  4. Select a standard Study Role in Copy from Role. Vault copies this Study Role into your custom Study Role. Copy from Role expanded in the New Role dialog

  5. Click Save.
  6. Select the permissions that you want to assign this role in the Standard Tabs, Permissions, User Defined Objects, and, if multi-role security is enabled, User Defined Permissions sections. Selecting the permission assigns the permission. If you don’t select a permission, this role will not have that permission.
  7. Click Save.

Vault creates a custom Security Profile and Permission Set with the appropriate permissions and maps it to your new Study Role. If you want to assign permissions for custom objects and tabs, you can perform that configuration now. See details here.

Editing Custom Roles

You can edit custom Study Roles from Tools > Role Management as needed.

When you edit a custom Study Role, Vault immediately applies those changes to every user with that role assigned.

To edit a custom Study Role:

  1. Navigate to Tools > System Tools > Role Management.
  2. From your custom role’s Actions menu, select Edit. Edit Role action

  3. Select and deselect permissions as needed.
  4. Click Save.

Rename a Role

You can rename custom Study Roles as needed.

To rename a custom Study Role:

  1. Navigate to Tools > System Tools > Role Management.
  2. From your custom role’s Actions menu, select Rename. Rename action for a custom role

  3. In the Rename Role dialog, enter a new Name. Rename Role dialog

  4. Click Save.

Change Teams

To change the Team assigned to a role:

  1. Navigate to Tools > System Tools > Role Management.
  2. From your custom role’s Actions menu, select Rename. Rename action for a custom role

  3. In the Rename Role dialog, select a new Team. Select a new Team in the Rename Role dialog

  4. Click Save.

Deleting a Role

If your organization is no longer using a custom Study Role, and no users are currently assigned that role, you can delete it.

To delete a custom Study Role:

  1. Navigate to Tools > System Tools > Role Management.
  2. From the custom role’s Actions menu, select Delete. Delete action

  3. In the Delete Role confirmation dialog, click Delete. Vault deletes your custom Study Role. Delete Role dialog

Teams

Vault CDMS includes Teams. If your Study uses the Team Query Restrictions feature, these teams control the ability to close queries created within a team. If a query is created by one team, for example, the Clinical team, then only members of that team can close the query. In this example, a member of the Data Management team would be able to comment on the query, but that user wouldn’t be able to close it.

You assign custom roles to a team during role creation or by renaming the role. Note that a role may only belong to one team.

Team Standard Roles
Administration
  • CDMS Deployment Administrator
  • CDMS User Administrator
  • CDMS Randomization Manager
  • CDMS Safety Administrator
  • CDMS Super User
Clinical
  • CDMS Clinical Research Associate
Coding
  • CDMS Clinical Coder
  • CDMS Clinical Coder Administrator
  • CDMS Clinical Coder Manager
Data Management
  • CDMS Data Manager
  • CDMS Lead Data Manager
  • CDMS Assessment Editor
  • CDMS Assessment Reader
  • CDMS Labs Data Manager
Other
  • CDMS Study Designer
  • CDMS Study Designer Read Only
  • CDMS Librarian
  • CDMS Auditor Read Only
  • CDMS API Read Only
  • CDMS API Read Write
Site
  • CDMS Principal Investigator
  • CDMS Sub Investigator
  • CDMS Clinical Research Coordinator

Available Permissions

The functional permissions listed in Role Management represent a combination of Application Role and Security Profile based permissions. In Tools > Role Management, each row represents either a functional permission or the ability to access a standard tab (such as Data Entry or Coder) in Vault CDMS. A selected (checked) permission indicates that a role has this permission.

See this table of all of these permissions and what standard Study Roles have these assigned.

Which permissions display in the User Defined Objects and User Defined Permission Sets sections depend on your vault’s configuration.

The tables below list each functional permission and a description of what it controls.

Standard Tabs

You can control access to the following standard tabs from the Standard Tabs section of the role table:

Field Controls
Assessments Tab

Ability to access the Assessments tab

Coder Tab

Ability to access the Coder tab

Coder Tools Tab

Ability to access the Coder Tools tab

Data Entry Tab

Ability to access the Data Entry tab

EDC Tools Tab

Ability to access the EDC Tools tab

Labs Tab

Ability to access the Labs tab

Library Tab

Ability to access the Library tab

Protocol Deviations Tab

Ability to access the Protocol Deviations tab

Randomization Tab

Ability to access the Randomization tab

Reports Dashboards Tab

Ability to access the Reports and Dashboards tabs

Review Tab

Ability to access the Review tab

Studio Tab

Ability to access the Studio tab

System Tools Tab

Ability to access the Tools > System Tools tab

Permissions

You can control access to various application functions from the Permissions section of the role table:

Field Controls
Workbench Tab

Ability to access and use the Data Workbench application, via the Workbench tab

View SDV

Ability to view SDV status

Edit SDV

Ability to perform SDV

View Query

Ability to view queries

Close Query

Ability to close queries

Close All Queries

Ability to close all queries, regardless of which query team created the query

Open Query

Ability to create new (open) queries

Answer Query

Ability to answer queries

View DMR

Ability to view DMR status

Edit DMR

Ability to perform DMR

Sign

Ability to provide an electronic signature on study data

Run Rules

Ability to run rules from EDC Tools > Rules

Manage Coding Lists

Ability to create, edit, import, and export Synonym Lists and Do Not Autocode Lists in Coder Tools

Data Entry

Ability to enter study execution data

Freeze Data

Ability to freeze and unfreeze data

Lock Data

Ability to lock and unlock data

Generate Detail PDF

Ability to export detail PDFs

Generate Blank PDF

Ability to export blank PDFs

Manage Study Lock

Ability to lock and unlock Studies and Sites from EDC Tools

Manage Jobs

Ability to create, edit, and delete scheduled jobs

Manage Amendments

Ability to initiate subject transfers, retrospective amendments, and prospective casebook amendments, from EDC Tools

Manage FTP

Ability to create and edit FTP Connections in EDC Tools

Manage Study Countries

Ability to create and edit Study Countries in EDC Tools

View Study Sites

Ability to view Sites in EDC Tools

Edit Study Sites

Ability to create and edit Sites from EDC Tools

Manage Coder Study Settings

Ability to edit Study Settings in Coder Tools

Add Casebook

Ability to add new Casebooks

Delete Casebook

Ability to delete subject Casebooks and related object records

View Clinical Assessments

Ability to view completed Assessments

Edit Clinical Assessments

Ability to perform (edit) Assessments

Manage Assessments

Ability to assign Study Roles to Assessment Definitions from EDC Tools > Assessments

Manage Review Plan Assignment

Ability to access EDC Tools > Review Plan Assignments and update the study- and site-level templates

Manage Learning

Ability to assign learning system Curriculums to Study Roles from EDC Tools

Manage Safety Configuration

Ability to set up the Safety Clinical Data Link for a Study and map Items to their E2B elements

View Casebook

Ability to view information about and from subject Casebooks (for reports, dashboards, and CDBs)

View Protocol Deviations

Ability to view Protocol Deviations

Create Protocol Deviations

Ability to create Protocol Deviations

Design Study

Ability to create study design definitions and a study schedule from Studio

View LIbrary

Ability to view library Collections and their designs from Studio > Library

Design Library

Ability to create study design definitions and a study schedule for a Collection from Studio > Library

Manage Data and Definition Export

Ability to schedule the Data and Definition Export job

Schedule Reports

Ability to create and schedule flash reports

View Form Linking

Ability to view Form Links

Edit Form Linking

Ability to edit Form Links

View Study Design

View-only access to Study Design

Manage Email Group Assignment

Ability to assign users to an Email Group from EDC Tools > Email Group Assignment

Manage Study Roles

Ability to create, edit, and delete custom Study Roles from Tools > System Tools > Role Management

View Users

Ability to view Users and their access

Edit Users

Ability to create and edit Users and their access

Restricted Data Access

Ability to view restricted (blinded) Forms

Manage Study Deployments

Ability to create and manage study Environments and deploy Studies from EDC Tools, as well as manage and deploy vault-level configuration from Tools > System Tools

View Lab Locations and Normals

Ability to view all Lab Locations and Normals

Edit Lab Locations and Normals

Ability to edit all Lab Locations and Normals. This permission can also see all Studies that are impacted, though they don’t have access to Clinical Data

Manage Site Lab Assignment

Ability to associate Sites with Lab locations

Manage Lab Units and Codelist

Ability to update Lab units and codelists

Manage Lab Study Settings

Ability to configure Study Settings in Labs

Lab Mass Updates

Ability to view and run mass update jobs

View All Lab Settings

Ability to view all Lab configuration

View Lab Analyte Library

Ability to view Analytes in the Analyte Library

Edit Lab Analyte Library

Ability to edit and update Analytes in the Analyte Library

API Access

Ability to access and use the Vault CDMS API. (This permission is also required to use CDB.)

Approve Lab Normals

Ability to approve Lab normals and add/merge Lab locations

View Integration Mappings

Ability to view Integration Mappings from EDC Tools > Integration Configuration

Edit Integration Mappings

Ability to edit Integration Mappings from EDC Tools > Integration Configuration

Edit Protocol Deviations

Ability to edit Protocol Deviations

Accept Closeout PDF

Ability to accept or reject Closeout PDFs

Generate Closeout PDF

Ability to generate the Closeout PDFs for a locked Site from EDC Tools > Sites

Notify Sites of Closeout PDF

Ability to set reminders and send a notification to a Site that the Closeout PDFs are ready for review

Review Closeout PDF

Ability to download the Closeout PDFs for a Site

Randomize Subject

Ability for a Site to Randomize a Subject

Emergency Unmasking

Ability for a Site to use Emergency Unmasking during adverse events to view treatment. Login credentials are required. Emergency unmasking will be logged in an unblinding report and notification emails (if configured) will go out.

Configure Randomization

Access to the Randomization tab to configure Randomization settings

Manage Randomization List

Ability to upload a Randomization List

View Randomization Enrollment

Ability to see a list of all Sites/Subjects as they are randomized

View Unmasked Data

Ability to see all unmasked Site/Subject data in the Randomization tab

View Randomization Kit/Device

Ability to view list to see what device/kit has been used and what’s available in the Randomization tab.

Reveal Treatment

Ability for a Site to see what treatment has been given to a subject. Login credentials are required. Not considered an emergency unmasking. Must have view data entry access.

Invalidate Randomization

Ability to invalidate the Randomization record in the Randomization tab

View Code

Ability to view coding progress

Assign Code

Ability to assign codes in Coder

Approve Code

Ability to approve or reject assigned codes in Coder

Edit CQL

Ability to edit the CQL statement for a listing in the CQL Editor

Modify Listing

Ability to edit the CQL statement and properties of private listings (Includes public and export listings when combined with the Public Access permission)

Create Listing

Ability to create private listings (Includes public and export listings when combined with the Public Access permission)

Delete Listing

Ability to delete a public listing

Generate CSV

Ability to generate a CSV for a listing

Public Access

Ability to create or modify a public listing, when combined with the Create Listing and Modify Listing permissions

View Listings

Ability to access the Listings page

View CDB Queries

Ability to access the Queries page and view Queries within Workbench

View Export

Ability to access the Export page

Create Export Definition

Ability to create and copy Export Definitions

Generate Export Package

Ability to generate a CSV or SAS export package

Delete Export Definition

Ability to delete an Export Definition

View Export Packages

Ability to access Export > Packages to view generated export packages

View Import

Ability to access the Import page

Download Import Package

Ability to download import packages

View Admin

Ability to access the Admin page

Permission Sets to Handle User Defined Objects & Tabs 21R2 & Later

If your organization is using Multi-Role Security, you can use a User Defined Permission Set to control access to user defined objects and tabs. This creates a single permission row in the Role Management table, where you can assign all permission granted in the set to a custom Study Role.

Create a User Defined Permission Set

To create a new User Defined Permission Set:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Click New Permission Set. New Permission Set button

  3. Enter a Name for the Permission Set. New Permission Set dialog

  4. Click Save.
  5. Click the Name of your new Permission Set to open it.
  6. Click Manage Tabs.
  7. In the Manage Tabs dialog, use the shuttle menu to move the needed tabs from Available Tabs to Selected Tabs.
  8. Optional: To remove a Tab:
    1. Hover over the Tab row to show the Remove () button.
    2. Click Remove ().
    3. In the Remove Tab confirmation dialog, click Remove.
  9. Click Objects. Objects subtab

  10. Click Manage Objects.
  11. In the Manage Objects dialog, use the shuttle menu to move the needed objects from Available Objects to Selected Objects.
  12. Click Edit Objects.
  13. Select the checkboxes for Create, Read, Update, and Delete to assign those permissions.
  14. Click the Binoculars () to view a list of object fields.
  15. Select the Object Field Permissions checkbox to set Read and Update permissions at the field level:
    1. In the Object Field Permissions dialog, click Edit.
    2. Select the Read and Update checkboxes on each field that you want to give the permission to read or update.
    3. When finished, click Save.
    4. After you’ve assigned field permissions, Vault displays a checkmark in the Object Field Permissions column. Click the Checkmark () to view field permissions.

Once you finish assigning tab and object permissions to a User Defined Permission Set, you can assign it to Study Roles in the User Defined Permission Sets section of the Role Management table.

Edit the Assigned Permissions

To edit the permissions assigned to a User Defined Permission Set, follow steps 5-15 of the [Create a User Defined Permission Set](#create-a-user-defined-permission-set] instructions above.

Sync a User Defined Permission Set

If you make changes to a User Defined Permission Set that is already assigned to a Study Role, you must use the Sync action to update the User Defined Permission Set on the Study Roles.

To sync a single permission set:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Locate the User Defined Permission Set you want to sync in the list.
  3. Hover over its Name to show the Actions menu.
  4. From the Actions menu, select Sync.
  5. In the Sync confirmation dialog, click Sync.

To sync multiple permission sets in one action:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Select the User Defined Permission Sets you want to sync in the list.
  3. Click Sync. Sync button

  4. In the Sync confirmation dialog, click Sync.

Rename a User Defined Permission Set

To rename a User Defined Permission Set:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Locate the User Defined Permission Set you want to edit in the list.
  3. Hover over its Name to show the Actions menu.
  4. From the Actions menu, select Edit. Edit action

  5. In the Edit Permission Set dialog, enter a new Name.
  6. Click Save.

Delete a User Defined Permission Set

You can delete a User Defined Permission Set as long as it isn’t assigned to any Study Roles.

To delete a User Defined Permission Set:

  1. Navigate to Tools > System Tools > User Defined Permission Sets.
  2. Locate the User Defined Permission Set you want to delete in the list.
  3. Hover over its Name to show the Actions menu.
  4. From the Actions menu, select Delete. Delete action

  5. In the Delete Permission Set confirmation dialog, click Delete.

User Defined Object Permissions

Role Management supports setting Read, Edit, and Delete permission on user-defined (custom) Vault objects for custom Study Roles. (Note that Create permission must be provided as part of a Security Profile.)

If your organization is using the Multi-Role Security model (new in 21R1, August 2021), then you can manage both object permissions and tab access for the custom object, including Create permission, from System Tools > User Defined Permission Sets. Then you can assign the entire User Defined Permission Set to a Study Role. Contact your Veeva Services representative to discuss upgrading to the new model.

To manage access to a user-defined object through Role Management, the object must meet all of these conditions:

  • The object must be a custom object “__c” namespace.
  • The object must have an object reference field to the Study (study__v) object.
  • The object must have a Deployment List record.
  • The object must have an object lifecycle.
  • The object must have Matching Sharing Rules enabled.

If your object meets these four conditions, Vault automatically includes it in the permissions table, in the User Defined Objects section.

Each object includes three rows for the Read, Edit, and Delete permissions. When you create or edit a custom Study Role, you can select these permissions in the same way as standard permissions. Note that these permissions are dependent. If you assign Edit, Vault automatically assigns Read. If you assign Delete, Vault automatically assigns Read and Edit.

Providing a user with one of these permissions on an object does not provide them access to view the custom tab exposing that object. You must provide that access via the role’s Security Profile or, for multi-role security vaults, with a User Defined Permission Set.

Use Cases Requiring Configuration with Role by Study 21R1 & Earlier

The sections below detail use cases that require additional configuration by a Vault Owner to work with the Role by Study security model. These configurations aren’t required for organizations using Multi-Role Security (introduced in 21R2, August 2021). Contact your Veeva Services representative to discuss enabling Multi-Role Security in your vault.

Users must have the Vault Owner security profile, or a custom permission set granting access to create and edit Security Profiles and Users from Admin > Users & Groups, to perform the actions described below.

Multiple Roles in a Vault

If a user in your Vault has multiple Study Roles assigned in different Studies, you may need to create a custom Security Profile and map it to the custom Study Role to ensure that they have the permissions they need.

For example, if Amir is a lead data manager for the Deetoza study, but he also acts as an auditor for the Veeofen study, he will need a custom security profile to ensure that he has the appropriate access in both Studies.

When you create a custom Study Role, Vault automatically creates a Permission Set that contains all of the access and permissions specified in Tools > Role Management. You can assign the Permission Set from each role to the custom Security Profile for this user.

  1. From Admin > Users & Groups > Security Profiles, create a new Security Profile and assign the Permission Sets for both custom roles to the Security Profile.
  2. From Admin > Users & Groups > Users, assign the new custom Security Profile to your user.
  3. From Tools > EDC Tools, add the user to both Studies, assigning the chosen custom Study Roles.

Study Roles for Custom Tabs

If you create custom tabs in your vault, you must perform additional security configuration to manage access using Study Roles.

  • Create a Permission Set (or more than one) that assigns access to those objects and tabs.
  • Either add that Permission Set to the existing Security Profile for your custom role (this profile has the same name as your custom Study Role) or create a Security Profile that has that Permission Set assigned, as well as any other Permission Set that a user would require to use Vault with that profile.
  • If you created a custom Security Profile update the Application Role Security Profile Rel mapping record for your custom Study Role to reference the custom Security Profile.

Mapping a Security Profile to a Custom Study Role

Vault uses the Application Role Security Profile Rel object to connect Study Roles (Application Roles) and Security Profiles. If you created a custom Security Profile for a Study Role to provide access to custom configurations, instead of updating the existing Security Profile for your Study Role, you must map the new Security Profile to the Study Role by updating the Application Role Security Profile Rels record for your role.

To update an Application Role Security Profile Rel record:

  1. Navigate to Admin > Business Admin > Security Profiles.
  2. Locate your custom Security Profile in the object record list.
  3. Copy or make a note of the Profile Name field value.
  4. Navigate to Admin > Business Admin > Application Role Security Profile Rels.
  5. Locate the record for your custom Study Role in the object record list.
  6. Click to open that record.
  7. Click Edit.
  8. In the Security Profile field, remove the existing value.
  9. Paste or enter the copied Profile Name into the Security Profile field.
  10. Click Save.