Creating & Managing Groups


Groups are key to managing user access in Vault. A group is simply a named list of users, but by defining groups that reflect the teams and roles in your company, and assigning those groups to document roles, you can manage document access more easily and efficiently.

In vaults using Dynamic Access Control, Vault also automatically creates groups that correspond to one lifecycle role and additional document field criteria. These are called Auto Managed Groups.

Accessing Group Administration

View and manage groups from Admin > Users & Groups > Groups. You must have a security profile that grants Groups permissions to work with user groups.

About System Provided Groups

Each vault has a number of groups designated as “system provided.” Vault includes these groups in your initial configuration and updates group membership automatically based on standard security profiles. When you create new users or modify their security profile, the system-managed groups will reflect those changes. You cannot delete these groups.

In addition to groups for each standard security profile, Vault manages the All Internal Users group. By default, All Internal Users includes users with the security profiles Document User, Business Admin, System Admin, and Vault Owner. Note that unless an Admin modifies the included security profiles for system provided groups, users with a custom profile, rather than a standard profile, are not included in any system provided group. Only users with the standard Vault Owner security profile can edit these groups in order to change the included security profiles. Other details are not editable.

About Auto Managed Groups

Auto Managed groups are a feature of Dynamic Access Control. Once you begin creating User Role Setup records, you’ll see Auto Managed groups appear.

These groups correspond to User Role Setup records, which include a user reference, a single lifecycle role reference, and one or more document/object field references. User Role Setup records with the same values (excluding the user reference) are placed into the same group. This table shows three example User Role Setup records and their corresponding groups.

User Role Product Country Auto Managed Group
Thomas Chung Editor CholeCap United States CholeCap-United States-Editor
Gladys Dunford Editor CholeCap United States CholeCap-United States-Editor
Tracy Lee Editor CholeCap CholeCap-Editor

Vault creates and populates these groups automatically. When User Role Setup records change, Vault checks to see if a new group is needed and reassigns users immediately.

Editing Auto Managed Groups

When editing these groups, you can only turn the Allow selection in configurations setting on and off. No other options are editable.  Vault automatically assigns group names based on the field order specified in Admin > Settings > Security Settings.

Using Groups Outside DAC: Runtime

You can select these groups for runtime tasks, for example, as a recipient for Send as Link or as a task assignee in a workflow start dialog.

Using Groups Outside DAC: Configuration

The Allow selection in configurations setting controls whether you can use these groups during design and configuration, for example, in configuring field-level security.

If a group becomes invalid because it references a picklist value or object record that is no longer active, you cannot select that group in configurations.

The following configuration options never allow you to select Auto Managed groups because they are part of the pre-DAC access control model:

  • Allowed users/default users in document lifecycle role configuration
  • Viewer, Editor, and Consumer defaults in the document type configuration

About User Provided Groups

Many organizations will need custom groups to manage their business processes. In vault, a custom group can be manually assigned or dynamically assigned. Manual assignment means that an Admin has to assign individual users to a group.

Automatic assignment uses the Included Security Profiles setting to specify one or more security profiles that correspond to the group. Vault automatically populates these groups with users who have the correct security profiles. For example, the VPharm Internal group may contain users who have the standard Document User and System Admin profiles, as well as the custom VPharm Business Admin profile.

If a user’s security profile changes or the group’s included profiles change, Vault reflects those changes immediately.

How to Create Custom Groups

To create a new, user provided group:

  1. From the Groups page, click Create.
  2. Enter the Group Name and (optional) Description.
  3. Optional: Select one or more profiles in Included Security Profiles. Vault automatically includes any user with the selected security profile in the group.
  4. Click Save.
  5. Open the Members tab and click Add Users to Group.
  6. Search for users and click the + icon to add them to the group or the icon to remove them. To search within an existing group, select a group from the picklist.
  7. When finished, click Close.

How to Change Members in a Custom Group

This option is only available for User Provided groups. To change the users that are members of a group:

  1. From the Groups page, click on the group to modify.
  2. Open the Members tab.
  3. Click Add Users to Group.
  4. In the dialog, search to find users to add or remove. Click the + icon to add a user to the group or the icon to remove a user who is already in the group. You cannot remove users that Vault automatically includes based on their security profile.
  5. When finished, click Close.

Admins with the correct permissions can also add an individual user to groups from the Users page. 

How to Delete Groups

Deleting a group removes it from your vault and cannot be undone. If the group has any roles on documents or is involved in an active workflow, you cannot delete it. If you are not ready to permanently delete a group, but want to prevent users from selecting it, you can disable the group. This option is only available for User Provided groups.

To delete a group:

  1. From the Groups page, click on the group to delete.
  2. On the Details tab, click Delete.
  3. Click Continue in the dialog to confirm.

How to Disable Groups

Disabling prevents users from selecting a group, but does not affect active workflows or sharing settings for documents where that group already has a role. This option is only available for User Provided groups. To disable a group:

  1. From the Groups page, click on the group to disable.
  2. In the Details tab, click Edit.
  3. Change the Status value.
  4. Click Save.

Last Updated: