Study Access in Vault CDMS

Vault CDMS leverages the Vault Platform to control user access. In addition to configuring account-level access, User Administrators can manage user access at the Study level.

Role by Study Security

Vault CDMS offers a security model allowing users to have different roles in different studies. This model leverages the Application Role object to define user access at the object level (in this case, the Study object), instead of at the account level. Your Application Role extends your permissions granted by your Security Profile. Together, these make up your Study Role.

Lead data managers and user administrators can create and manage custom Study Roles from Tools > System Tools > Role Management.

To see a list of standard Application Roles and their permissions available with the CDMS Role by Study feature, see Managing CDMS Application Roles. See Standard CDMS Security Profiles for a list of standard Security Profiles and Permissions Sets.

Account-Level Security

Once you have an account on a vault, your access is then controlled by your Security Profile. Your Security Profile then grants certain permissions via Permission Sets. If CDMS Role by Study is not enabled in your vault, Permission Sets are the primary method of access control.

Access Control Levels

Access control in Vault CDMS is hierarchical. As permissions move through the levels of access control, the next permission level overwrites the previous. For example, if a Permission Set allows Read permission on the Protocol Deviation object, but then an Application Role removes Read permission on that object, users with that Application Role will not be able to view the Protocol Deviation object, even if their Permission Set allows it.

Access by Study

The permissions granted by a user’s Security Profile apply at the vault-level. Permissions granted by a user’s Application Role apply at the Study level. A single user can have a different role in each different study they have access to. For example, Lateef may have the CDMS Data Manager application role in the Deetoza study, allowing him to perform various data management tasks, but in the Veeofen study, he only has read-only permissions via the CDMS Auditor (Read Only) application role.

Granting Access

To control user access, you must have the Vault Owner (no Application Role required) or the CDMS User Administrator security profile and the User Administrator application role (in vaults where Role by Study is enabled).

  • You can create user accounts from Admin > Users & Groups, EDC Tools > Users, or by using Vault Loader.
  • You can give users a role on a Study from EDC Tools > Users.

Migrating from the Original Model to Role by Study

Once Veeva Support enables the CDMS Role by Study feature in your vault, you can migrate your existing Users to the new Security Profiles and Application Roles. You can edit these from Tools > EDC Tools > Users or Admin > Users & Groups. (Note that any cross-domain users must have these changes made in their home domain.)

Application Role Mapping

The table below maps the original Application Roles to their corresponding Role by Study Application Roles.

Original Application Role Role by Study Application Role
EDC Investigator CDMS Principal Investigator (Able to provide signatures),
CDMS Sub Investigator (Not able to provide signatures)
EDC Reviewer CDMS Auditor (Read Only)
EDC Clinical Research Coordinator CDMS Clinical Research Coordinator
EDC CRA, EDC Lead CRA CDMS Clinical Research Associate
EDC Data Manager CDMS Data Manager
EDC Lead Data Manager CDMS Lead Data Manager
EDC Clinical Coder CDMS Clinical Coder
N/A CDMS Clinical Coder Administrator (New with Role by Study)
N/A CDMS Study Designer (New with Role by Study)
N/A CDMS User Administrator (New with Role by Study)

Learn more about CDMS Study Roles.