Configuring Custom Sharing Rules for Objects
Custom Sharing Rules is part of Dynamic Access Control for object records. When using Custom Sharing Rules (rather than Matching Sharing Rules) for an object, Vault manages users’ roles on specific object records by matching rule criteria to specific user assignments. For example, on Product records where the Product Family _is _Veepharm Products, Gladys is an Editor and Thomas is an Owner.
You can enable Custom Sharing Rules for specific objects to provide a more granular level of security for one object without affecting others.
Custom matching sharing rules only support the standard Editor, Viewer, and Owner roles. You must use manual assignment for custom user roles.
Before starting any Custom Sharing Rules implementation, we recommend that you consult Veeva Services. You should have a plan in place for the sharing rules you will create.
We recommend enabling Configuration Mode while completing the following tasks. Once you enable Custom Sharing Rules for an object, all users will lose access to the object records until you’ve fully configured the rules.
- Create user groups that you plan to use in your sharing rules from Admin > Users & Groups > Groups.
- From Admin > Configuration > Objects > [Object] > Details, enable Custom Sharing Rules. You can return to the object configuration page at any time and disable Custom Sharing Rules. If you are not also using Matching Sharing Rules, the previous functionality returns immediately: security profiles provide object-level control over editing object records and all users can view or select all records.
- From Admin > Configuration > Objects > [Object], navigate to the Sharing Rules section. Set up Custom Sharing Rules to dictate how assigns users and groups to specific object records.
To enable and set up Custom Sharing Rules, your security profile must grant the Admin: Objects: Edit permission.
Custom Sharing Rules
When creating a sharing rule, you’ll first define a query against the records for an object, and then select users and groups to assign to a specific role on all records that match your query.
How to Create Sharing Rules
To create a sharing rule:
- Navigate to the object’s configuration details: Admin > Configuration > Objects, and then click on the specific object.
- Click into the Sharing Rules tab.
- Enter a descriptive Label for the rule. The label will be visible in the object records’ Sharing Settings.
- Enter a Name for the rule. This will be visible through the API.
- Optional: Enter a Description. The description only appears in the sharing rule’s details page.
- Under Rule Criteria, define the query parameters by selecting an object field, operator, and value. Create additional rows by clicking Add condition. Remove rows by clicking the minus (-) icon. See details.
- Click Save.
- In the Roles panel, click + Add to select users/groups and the roles they should receive. In the dialog, select a Role and one or more Users and Groups, then click Save. Repeat this step to add all the needed assignments.
- If you make a mistake assigning access or need to remove a user/group later, use the Actions menu on the individual assignment and select Remove.
When you initially create a rule or modify the query for an existing rule, Vault must reindex records to apply the new settings. This may take several minutes. A yellow bar appears at the top of the screen to indicate progress.
How to Modify Sharing Rules
To modify a sharing rule, return to the Sharing Rules tab on the object configuration and click into a specific rule:
- Click Edit to change the label, name, description, or query.
- In the Roles section, use the Add + button to create new user/group assignments in the rule. Use the Actions (gear) menu on each assignment row to remove a user/group assignment from the rule.
- Click Delete to permanently remove the rule.
Under Rule Criteria, you define a query against the object’s records. For example, all Product records where the Therapeutic Area equals Oncology. Rule Criteria accepts a VQL query. This is only appropriate for technical users but allows you to define a complex query. Learn more about VQL for sharing rules in our Developer Portal.
Sharing rule criteria can use fields from the object that is being queried, including fields that reference another object. They cannot use fields that belong to referenced objects, aside from the label field. For example, a query on Site could use Site Status and Study Number, but could not use Study Name because that field belongs to a different object.
Note that all field types except DateTime are available.
When you configure custom sharing rules or matching sharing rules for an object, the page layout includes a Sharing Settings section. Here, you can control the roles that each user has for specific object records.
The user roles available for an object, as well as the associated permissions, are configurable and lifecycle-specific. However, custom matching rules only support the standard Editor, Viewer, and Owner roles. You must use manual assignment for custom roles.
Filter by Role
You can filter by available roles in th_e Sharing Settings_ section. Select All Roles or from a list of available roles in the dropdown. This list includes active custom roles and associated Application Roles added to the object lifecycle.
Manual Assignment for Custom Roles
You can add roles for manual assignment. Once you assign a role, it displays in the Access via Manual Assignment section. You can hover over a role to view its assigned permissions.
To add a manual assignment:
- From Sharing Settings, click the + Add button to open the Add Manual Assignment dialog.
- Select the desired role from the Role picklist.
- Select a user or group from the Users and Groups picklist.
- Click Save.