Managing Study Roles
Vault CDMS offers a security model allowing users to have different roles in different studies. This model leverages the Study Role to define user access at the object level (in this case, the Study object), instead of at the account level. Your Study Role extends your permissions granted by your Security Profile. These combined represent the Study Role, a permission grouping that you can manage from Tools > System Tools > Role Management.
Users with the appropriate permissions can manage access to standard Vault CDMS functionality from Tools > EDC Tools and create custom study roles from Tools > System Tools > Role Management.
See Standard CDMS Security Profiles for a list of standard Security Profiles and Permissions Sets.
Prerequisites
Users with the Vault Owner security profile or the CDMS User Administrator study role can perform the actions described above by default. If your vault uses custom Study Roles, you must have the following permissions:
| Type | Permission Label | Controls |
|---|---|---|
| Standard Tab | System Tools Tab | Ability to access the Tools > System Tools tab |
| Functional Permission | Manage Study Roles | Ability to create, edit, and delete custom Study Roles from Tools > System Tools > Role Management |
If your Study contains restricted data, you must have the Restricted Data Access permission to view it.
Learn more about Study Roles.
Accessing Role Management
To access the Role Management area, click the Tools tab in the top navigation bar, and then click System Tools. By default, this opens the Role Management page.
Custom vs. Standard Study Roles
For your convenience, several standard Study Roles are available by default. You can assign these standard roles to users in your study, or you can assign your users custom roles. You can copy the standard Study Roles to use as a template when creating your custom roles as well.
Vault groups Study Roles in the role table by Custom and Standard. Standard Study Roles names start with “CDMS”. All other roles are custom Study Roles in your vault.
Available Standard Study Roles
You can view a list of standard Study Roles and which permissions each role has here. The following standard Study Roles are available:
- CDB API Read Write:
Users with this study role have read and write access to the CDB API.
- CDMS API Read Only:
Users with this study role have read-only access to the CDMS API.
- CDMS API Read Write:
Users with this study role have read and write access to the CDMS API. This role requires All Sites access.
- CDMS Auditor Read Only:
Users with this role have read-only access to Vault EDC and can generate PDFs.
- CDMS CDB Read-only:
CDB Read Only can access both the Workbench and Clinical Reporting applications, allowing a user to view listings, and import and export information, but without the ability to create or mark listings as reviewed, to create queries, or to create export definitions.
- CDMS Clinical Coder:
Users with the CDMS Clinical Coder study role can access and use Vault Coder, as well as send queries to and receive queries from site users in Vault EDC. This role requires All Sites access.
- CDMS Clinical Coder Administrator:
Users with the CDMS Clinical Coder Administrator study role can access and use Vault Coder, as well as use the Coder Tools administration area to manage application- and study-level settings for Vault Coder. This role requires All Sites access.
- CDMS Clinical Coder Manager:
Users with the CDMS Clinical Coder study role can access and use Vault Coder, and they can approve Code Requests coded by clinical coders. This role requires All Sites access.
- CDMS Clinical Research Associate:
Users with the CDMS Clinical Research Associate study role can use Vault EDC to perform SDV, close queries, freeze data, access reports, and create PDFs.
- CDMS Clinical Research Coordinator:
Users with the CDMS Clinical Research Coordinator study role can use Vault EDC’s to create Casebooks, fill and submit case report Forms, answer queries, access reports, and create PDFs.
- CDMS Data Loader:
Users with this study role have permission to load third party data into Vault EDC via the Data Loader.
- CDMS Data Manager:
Users with the CDMS Data Manager study role can use Vault EDC to perform data management review, view DMR, create PDFs, access reports, and lock data.
- CDMS Deployment Administrator:
Users with the CDMS Deployment Administrator role can create new study environments and deploy a study from one environment to another.
- CDMS Imaging Specialist:
Users with the CDMS Imaging Specialist role have access to view and download Imaging Exams from the Imaging tab.
- CDMS Labs Data Manager:
Users with this role have access to all functions within the Labs tab.
- CDMS Lead Data Manager:
Users with this role have the ability to create and close queries, perform DMR, lock data, lock studies and sites, and generate PDFs. They can also interact with the EDC Tools area, with the ability to manage amendments, sites, study countries, query rules, and run ad hoc and schedule recurring jobs.
- CDMS Librarian:
Users with the CDMS Librarian role can create, manage, and test study designs within library Collections.
- CDMS Medical Assessment Editor:
Users with this role are able to view and perform clinical assessments and view supplemental data related to those assessments.
- CDMS Medical Assessment Reader:
Users with this role are able to view clinical assessments and supplemental data related to those assessments.
- CDMS Principal Investigator:
Users with this role can use Vault EDC to create Casebooks, fill and submit case report Forms, answer queries, access reports, provide signatures, and create PDFs.
- CDMS Randomization Manager:
Users with this role are able to configure Randomization and manage Randomization Lists.
- CDMS Safety Administrator:
Users with this role have access to EDC Tools > Safety Configuration to set up the Safety Clinical Data Link in their study.
- CDMS Study Designer:
Users with the CDMS Study Designer study role can use Vault EDC Studio to create and design their studies in non-production environments.
- CDMS Study Designer Read Only:
Users with the CDMS Study Designer Read Only study role can access Studio in read-only mode.
- CDMS Sub Investigator:
Users with the CDMS Sub Investigator study role can use Vault EDC to create Casebooks, fill and submit case report Forms, answer queries, access reports, and create PDFs.
- CDMS Super User:
Users with this study role can access all areas of the application and perform all actions within those areas. This role is only available in non-production environments.
- CDMS User Administrator:
Users with this role can manage user accounts and access within Vault CDMS.
Viewing Roles
In the Role Management tab, Vault CDMS displays Study Roles and their permissions as a table. Each column represents a Study Role, and each row in the table represents a functional permission.
Functional permissions are divided into three (3) sections: Standard Tabs, Permissions, and User Defined Objects. If multi-role security is enabled in your vault, then there is also a User Defined Permission Sets section. In the Standard Tabs section, there is a permission row for the ability to access each standard navigation tab. In the Permissions section, there is a row for each standard function, such as Data Entry or Add Casebook, that a user may perform in Vault CDMS. Lastly, in the User Defined Objects section, there is a row for each qualifying custom object, and three rows for the Read, Edit, and Delete permissions on that object. In the User Defined Permission Sets section, there is a row for each User Defined Permission Set configured for the vault, which can control the ability to access user defined objects and tabs. Click a cell to highlight that row, column, or role/permission intersection.
For each Study Role column, Vault displays the number of users that are assigned that Study Role in the Number of User Assignments row.
You can click on the Number to view a list of those Users. From that dialog, you can filter the list by Study or search for a specific User.
Collapse & Expand Permission Sections
Vault groups functional permissions together. For easier viewing, you can collapse and expand sections as you scroll through the page.
Click the Collapse () or Expand () buttons to collapse and expand sections.
Exporting the Role & Permission Matrix to Excel™
You can export a list of Study Roles, both standard and custom, and the permissions assigned to them as an Excel™ spreadsheet.
To export role mappings:
- Navigate to Tools > System Tools > Role Management.
-
Click Download.
- Vault creates your export file (“Role Management {DateTime}.xlsx”) and the download begins right away. When finished, you can open the file in Excel™.
Creating & Editing Roles
You can create and edit custom Study Roles from Tools > Role Management. See details here.
Functional Permissions
The functional permissions listed in Role Management represent a combination of Application Role and Security Profile based permissions. In Tools > Role Management, each row represents either a functional permission or the ability to access a standard tab (such as Data Entry or Coder) in Vault CDMS. A selected (checked) permission indicates that a role has this permission.
This table lists each functional permission and a description of what it controls.
Standard Tabs
You can control access to the following standard tabs from the Standard Tabs section of the role table:
| Field | Controls |
|---|---|
| Assessments Tab | Ability to access the Assessments tab |
| Clinical Reporting Tab | Ability to access EDC Clinical Reporting via the Clinical Reporting tab. Note that EDC Clinical Reporting is only available in production environments. |
| Coder Tab | Ability to access the Coder tab |
| Coder Tools Tab | Ability to access the Coder Tools tab |
| Data Entry Tab | Ability to access the Data Entry tab |
| Data Loader Tab | Ability to access the Data Loader tab |
| EDC Tools Tab | Ability to access the EDC Tools tab |
| Imaging Tab | Ability to access the Imaging tab |
| Labs Tab | Ability to access the Labs tab |
| Library Tab | Ability to access the Library tab |
| Protocol Deviations Tab | Ability to access the Protocol Deviations tab |
| Randomization Tab | Ability to access the Randomization tab |
| Reports Dashboards Tab | Ability to access the Reports and Dashboards tabs |
| Review Tab | Ability to access the Review tab |
| Studio Tab | Ability to access the Studio tab |
| Study Grade Tab | Ability to access the Study Grade tab |
| System Tools Tab | Ability to access the Tools > System Tools tab |
| Safety Integrations Tab | Ability to access the Tools > Safety Integrations tab |
| Workbench Tab | Ability to access and use the Data Workbench application, via the Workbench tab |
Permissions
You can control access to various application functions from the Permissions section of the role table:
| Field | Controls |
|---|---|
| Data Entry | |
| View Casebook | Ability to view information about and from subject Casebooks (for reports, dashboards, and CDB) |
| Add Casebook | Ability to add new Casebooks |
| Delete Casebook | Ability to delete subject Casebooks with or without data and related object records |
| Data Entry | Ability to enter study execution data |
| View Form Linking | Ability to view Form Links |
| Edit Form Linking | Ability to edit Form Links |
| Generate Detail PDF | Ability to export detail PDFs |
| Generate Blank PDF | Ability to export blank PDFs |
| Sign | Ability to provide an electronic signature on study data |
| Queries | |
| View Query | Ability to view queries |
| Open Query | Ability to create new (open) queries and comment on queries without moving them into the Answered status |
| Answer Query | Ability to answer queries, moving them into the Answered status. This permission doesn’t provide the ability to open queries. |
| Close Query | Ability to close queries |
| Close All Queries | Ability to close all queries, regardless of which query team created the query |
| Review | |
| View SDV | Ability to view SDV status |
| Edit SDV | Ability to perform SDV |
| View DMR | Ability to view DMR status |
| Edit DMR | Ability to perform DMR |
| Freeze Data | Ability to freeze and unfreeze data |
| Lock Data | Ability to lock and unlock data |
| View Snapshots | Ability to view Snapshots. |
| Manage Snapshots | Ability to create, edit, and overall manage Snapshots. |
| Assessments | |
| View Medical Assessments | Ability to view completed Assessments |
| Edit Medical Assessments | Ability to perform (edit) Assessments |
| Manage Assessments | Ability to assign Study Roles to Assessment Definitions from EDC Tools > Assessments |
| Study Administration | |
| Manage Study Milestones | Ability to lock and unlock Studies and Sites, as well as set the Billing Status for study environments from EDC Tools |
| Study File Format API Access | Ability to access and use the Study File Format API. |
| Manage Jobs | Ability to create, edit, and delete scheduled jobs |
| Run Rules | Ability to run rules from EDC Tools > Rules |
| Manage FTP | Ability to create and edit FTP Connections in EDC Tools |
| Manage Study Countries | Ability to create and edit Study Countries in EDC Tools |
| View Study Sites | Ability to view Sites in EDC Tools |
| Edit Study Sites | Ability to create and edit Sites from EDC Tools |
| Manage Review Plan Assignment | Ability to access EDC Tools > Review Plan Assignments and update the study- and site-level templates |
| Manage Review Plan Assignment Criteria | Ability to access EDC Tools > Review Plan Assignment Criteria and update study- and site-level templates for assignment |
| Manage Review Plan Manual Assignment | Ability to access EDC Tools > Review Plan Manual Assignment and manually assign Review Plans |
| Manage Deployments | Ability to create and manage study Environments and deploy Studies from EDC Tools, manage and deploy vault-level configuration from Tools > System Tools, and manage and deploy listings, checks, and views in CDB |
| Manage Learning | Ability to assign learning system Curriculums to Study Roles from EDC Tools |
| Manage Email Group Assignment | Ability to assign users to an Email Group from EDC Tools > Email Group Assignment |
| Manage Study Roles | Ability to create, edit, and delete custom Study Roles from Tools > System Tools > Role Management |
| View Users | Ability to view Users and their access |
| Edit Users | Ability to create and edit Users and their access |
| Restricted Data Access | Ability to view restricted (blinded) Forms and Studies that contain restricted data |
| Manage Amendments | Ability to initiate subject transfers and retrospective amendments from EDC Tools |
| Manage Data and Definition Export | Ability to schedule the Data and Definition Export job |
| API Access | Ability to access and use the Vault CDMS API. (This permission is also required to use CDB.) |
| Schedule Reports | Ability to create and schedule flash reports |
| View Integration Mappings | Ability to view Integration Mappings from EDC Tools > Integration Configuration |
| Edit Integration Mappings | Ability to edit Integration Mappings from EDC Tools > Integration Configuration |
| Copy Study Data to PPT | Ability to copy study data to PPT environment |
| Vault Configuration Report | Ability to generate a Vault Configuration Report |
| Manage Safety Configuration | Ability to set up the Safety Clinical Data Link for a Study and map Items to their E2B elements |
| Manage Study Priority | Ability to mark a study as a priority or remove priority from a study |
| Edit Study Settings | Ability to edit the Study Settings available in EDC Tools |
| Data Loader | |
| View Import History | Ability to access the Import History subtab within the Data Loader tab |
| Load Data | Ability to access the Import subtab within the Data Loader tab. Ability to edit the fields on the Import page and to run the Preview and Import jobs |
| Coder | |
| View Code | Ability to view coding progress |
| Assign Code | Ability to assign codes in Coder |
| Approve Code | Ability to approve or reject assigned codes in Coder |
| Manage Coder Study Settings | Ability to edit Study Settings in Coder Tools |
| Manage Coding Lists | Ability to create, edit, import, and export Synonym Lists and Do Not Autocode Lists in Coder Tools |
| Study Design | |
| Review Study Grade | Ability to review Study Grade records |
| View Study Design | View-only access to Study Design |
| Design Study | Ability to create study design definitions and a study schedule from Studio |
| Library | |
| View Library | Ability to view library Collections and their designs from Studio > Library |
| Design Library | Ability to create study design definitions and a study schedule for a Collection from Studio > Library |
| View Classification | Ability to view Classifications in a library collection |
| Edit Classification | Ability to create and edit Classifications and their Values in a library collection |
| Protocol Deviations | |
| View Protocol Deviations | Ability to view Protocol Deviations |
| Edit Protocol Deviations | Ability to edit Protocol Deviations |
| Create Protocol Deviations | Ability to create Protocol Deviations |
| Labs | |
| View Lab Locations and Normals | Ability to view all Lab Locations and Normals |
| Edit Lab Locations and Normals | Ability to edit all Lab Locations and Normals. This permission can also see all Studies that are impacted, though they don’t have access to Clinical Data |
| Approve Lab Normals | Ability to approve Lab normals and add/merge Lab locations |
| View Lab Analyte Library | Ability to view Analytes in the Analyte Library |
| Edit Lab Analyte Library | Ability to edit and update Analytes in the Analyte Library |
| Manage Lab Units and Codelist | Ability to update Lab units and codelists |
| Manage Lab Study Settings | Ability to configure Study Settings in Labs |
| Manage Site Lab Assignment | Ability to associate Sites with Lab locations |
| View All Lab Settings | Ability to view all Lab configuration |
| Lab Mass Updates | Ability to view and run mass update jobs |
| Imaging | |
| Review Imaging Exam | Ability to view uploaded Imaging Exams |
| Upload Imaging Exam | Ability to upload Imaging Exams |
| Safety | |
| View Safety Cases | Ability to view Safety Case banners |
| Manage Safety Integrations | Ability to modify the safety configurations available for a Study in Tools > Safety Integrations |
| View Safety Integrations | Ability to view the safety configurations available for a Study in Tools > Safety Integrations in read-only mode |
| Randomization | |
| Randomize Subject | Ability for a Site to Randomize a Subject |
| View Randomization Kit/Device | Ability to view list to see what device/kit has been used and what’s available in the Randomization tab. |
| Configure Randomization | Access to the Randomization tab to configure Randomization settings |
| Manage Randomization List | Ability to upload a Randomization List |
| View Randomization Enrollment | Ability to see a list of all Sites/Subjects as they are randomized |
| Invalidate Randomization | Ability to invalidate the Randomization record in the Randomization tab |
| View Unmasked Data | Ability to see all unmasked Site/Subject data in the Randomization tab |
| Reveal Treatment | (No longer supported for any studies) Ability for a Site to see what treatment has been given to a subject. Login credentials are required. Not considered an emergency unmasking. Must have view data entry access. Note that this is only applicable for grandfathered studies. |
| Emergency Unmasking | (No longer supported for any studies) Ability for a Site to use Emergency Unmasking during adverse events to view treatment. Login credentials are required. Emergency unmasking will be logged in an unblinding report and notification emails (if configured) will go out. Note that this is only applicable to grandfathered studies. |
| Site Closeout | |
| Accept Closeout PDF | Ability to accept or reject Closeout PDFs |
| Generate Closeout PDF | Ability to generate the Closeout PDFs for a locked Site from EDC Tools > Sites |
| Notify Sites of Closeout PDF | Ability to set reminders and send a notification to a Site that the Closeout PDFs are ready for review |
| Review Closeout PDF | Ability to download the Closeout PDFs for a Site |
| Cdb | |
| View Selected Listings | Ability to view selected listings (selected in Workbench > Admin > Users) in CDB |
| Manage Sources | Abiltiy to view and manage Sources from the import of third party data in CDB |
| Manage Unblinding Rules | Abiltiy to create and manage Unblinding Rules for the conditional unblinding of data in CDB |
| View All Listings | Ability to view all listings |
| View Selected CDB Query Listings | Ability to view selected query listings (selected in Workbench > Admin > Users) in CDB |
| View All CDB Query Listings | Ability to view all query listings |
| Edit CQL | Ability to edit the CQL statement for a listing in the CQL Editor |
| Modify Listing | Ability to edit the CQL statement and properties of private listings (includes public listings, export listings, and check listings when combined with the Public Access permission) |
| Create Listing | Ability to create private listings (includes public listings, export listings, and check listings when combined with the Public Access permission) |
| Delete Listing | Ability to delete a public listing or check |
| Answer 3rd Party Queries | Ability to answer queries on third party data items in Workbench |
| Generate CSV | Ability to generate a CSV for a listing, view, or check |
| Public Access | Ability to create or modify a public listing, when combined with the Create Listing and Modify Listing permissions |
| View Export | Ability to access the Export page |
| Create Export Definition | Ability to create and copy Export Definitions |
| Generate Export Package | Ability to generate a CSV or SAS export package |
| Delete Export Definition | Ability to delete an Export Definition |
| View Export Packages | Ability to access Export > Packages to view generated export packages |
| View Import | Ability to access the Import page |
| Download Import Package | Ability to download import packages |
| Approve Import | Ability to approve or reject an import package that contains configuration changes |
| View Admin | Ability to access the Admin page |
| Manage Key Mappings | Ability to create and manage key mappings for import |
| Browse View | Ability to access the Views tab within Workbench and browse Views. Ability to save a View as a Check |
| Create View | Ability to create new Views in Workbench |
| Modify View | Ability to edit (modify) existing Views in Workbench |
| Delete View | Ability to delete Views in Workbench |
| CDB Tools | Ability to access the CDB Tools area of Workbench |
| Configure CDB | Ability to configure settings for Core Listings in Workbench |
| Migrate Reviews | This permission was added in support of a feature in a future release. |
| Set Reviews | This permission was added in support of a feature in a future release. |
| Delete Data Sources | This permission was added in support of a feature in a future release. |
| Configure Queries | This permission was added to support features in a future release. |
Standard Study Roles & Security Profiles
21R1 & Earlier
The following Study Roles are standard and available as part of the CDMS Role by Study feature.
Study Roles related to the CDMS Role by Study feature have “CDMS” in their name. Any roles without “CDMS” instead are custom Study Roles in your vault. Each standard Study Role has a standard Security Profile assigned. See details about standard Security Profiles here.
In vaults created after the 21R2 (August 2021) release, or vaults where multi-role security has been enabled, all Study Roles use the same Security Profile, CDMS All Access.
| Role | Security Profile | Description |
|---|---|---|
| CDB API Read Write | CDB API Read Write | Users with this study role have read and write access to the CDB API. |
| CDMS API Read Only | CDMS API Read Only | Users with this study role have read-only access to the CDMS API. |
| CDMS API Read Write | CDMS API Read Write | Users with this study role have read and write access to the CDMS API. This role requires All Sites access. |
| CDMS Auditor Read Only | CDMS Auditor Read Only | Users with this role have read-only access to Vault EDC and can generate PDFs. |
| CDMS CDB Read-only | CDMS CDB Read-only | CDB Read Only can access both the Workbench and Clinical Reporting applications, allowing a user to view listings, and import and export information, but without the ability to create or mark listings as reviewed, to create queries, or to create export definitions. |
| CDMS Clinical Coder | CDMS Clinical Coder | Users with the CDMS Clinical Coder study role can access and use Vault Coder, as well as send queries to and receive queries from site users in Vault EDC. This role requires All Sites access. |
| CDMS Clinical Coder Administrator | CDMS Clinical Coder Administrator | Users with the CDMS Clinical Coder Administrator study role can access and use Vault Coder, as well as use the Coder Tools administration area to manage application- and study-level settings for Vault Coder. This role requires All Sites access. |
| CDMS Clinical Coder Manager | CDMS Clinical Coder Manager | Users with the CDMS Clinical Coder study role can access and use Vault Coder, and they can approve Code Requests coded by clinical coders. This role requires All Sites access. |
| CDMS Clinical Research Associate | CDMS Clinical Research Associate | Users with the CDMS Clinical Research Associate study role can use Vault EDC to perform SDV, close queries, freeze data, access reports, and create PDFs. |
| CDMS Clinical Research Coordinator | CDMS Clinical Research Coordinator | Users with the CDMS Clinical Research Coordinator study role can use Vault EDC’s to create Casebooks, fill and submit case report Forms, answer queries, access reports, and create PDFs. |
| CDMS Data Loader | CDMS Data Loader | Users with this study role have permission to load third party data into Vault EDC via the Data Loader. |
| CDMS Data Manager | CDMS Data Manager | Users with the CDMS Data Manager study role can use Vault EDC to perform data management review, view DMR, create PDFs, access reports, and lock data. |
| CDMS Deployment Administrator | CDMS Deployment Administrator | Users with the CDMS Deployment Administrator role can create new study environments and deploy a study from one environment to another. |
| CDMS Imaging Specialist | CDMS Imaging Specialist | Users with the CDMS Imaging Specialist role have access to view and download Imaging Exams from the Imaging tab. |
| CDMS Labs Data Manager | CDMS Labs Data Manager | Users with this role have access to all functions within the Labs tab. |
| CDMS Lead Data Manager | CDMS Lead Data Manager | Users with this role have the ability to create and close queries, perform DMR, lock data, lock studies and sites, and generate PDFs. They can also interact with the EDC Tools area, with the ability to manage amendments, sites, study countries, query rules, and run ad hoc and schedule recurring jobs. |
| CDMS Librarian | CDMS Librarian | Users with the CDMS Librarian role can create, manage, and test study designs within library Collections. |
| CDMS Medical Assessment Editor | CDMS Medical Assessment Editor | Users with this role are able to view and perform clinical assessments and view supplemental data related to those assessments. |
| CDMS Medical Assessment Reader | CDMS Medical Assessment Reader | Users with this role are able to view clinical assessments and supplemental data related to those assessments. |
| CDMS Principal Investigator | CDMS Principal Investigator | Users with this role can use Vault EDC to create Casebooks, fill and submit case report Forms, answer queries, access reports, provide signatures, and create PDFs. |
| CDMS Randomization Manager | CDMS Randomization Manager | Users with this role are able to configure Randomization and manage Randomization Lists. |
| CDMS Safety Administrator | CDMS Safety Administrator | Users with this role have access to EDC Tools > Safety Configuration to set up the Safety Clinical Data Link in their study. |
| CDMS Study Designer | CDMS Study Designer | Users with the CDMS Study Designer study role can use Vault EDC Studio to create and design their studies in non-production environments. |
| CDMS Study Designer Read Only | CDMS Study Designer Read Only | Users with the CDMS Study Designer Read Only study role can access Studio in read-only mode. |
| CDMS Sub Investigator | CDMS Sub Investigator | Users with the CDMS Sub Investigator study role can use Vault EDC to create Casebooks, fill and submit case report Forms, answer queries, access reports, and create PDFs. |
| CDMS Super User | CDMS Super User | Users with this study role can access all areas of the application and perform all actions within those areas. This role is only available in non-production environments. |
| CDMS User Administrator | CDMS User Administrator | Users with this role can manage user accounts and access within Vault CDMS. |