About Permission Sets


In Vault, permission sets are a way to group permissions together. Security profiles then use the permission sets to grant or restrict users’ access to certain features, particularly system administration functions such as user management or object record creation. For example, the permission sets applied to the IT Administrator security profile allow users with that profile to manage users and groups, but not studies and sites.

Accessing Permission Set Configuration

To configure permission sets, you must have the Admin: Permission Sets: Read, Create, Edit, Delete permissions.

With the right access, you can manage permission sets from Admin* > Users & Groups > Permission Sets.

About ‘All’ Permissions

Throughout the permission sets configuration, there are permissions like All Configuration and All Audit. Granting these permissions gives users all permissions under them. However, this functions differently from simply selecting each sub-permission. If a future release of Vault adds new permissions to an area, permission sets with the ‘All’ permission will automatically select those new permissions.

About Permission Dependencies

Granting certain permissions automatically grants additional permissions. When editing, these dependent permissions will be greyed out as long as their controlling permission is selected.

For example, when you grant the Web Actions: Delete permission, you automatically grant the Web Actions: Edit permission.

Admin Permissions

Access to administrator-type functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings in the Admin tab of the Permission Sets page.

Note that in addition to license type, security profile, and permission set, some access is controlled by the Domain Admin user setting.

Configuration

Permission Access Details
Configuration: All Configuration Grants all ‘Configuration’ permissions; individual permissions are explained below.
Configuration: All Configuration Read Grants all ‘Read’ permissions in ‘Configuration’; individual permissions are explained below.
Email Settings: Read Grants read-only permission to the Configuration > Email Settings page
Email Settings: Edit Grants edit permission to the Configuration > Email Settings page
Login Message: Read Grants read-only permission to the Configuration > Login Message page
Login Message: Edit Grants edit permission to the Configuration > Login Message page
Business Admin Menu: Read Grants read-only permission to Configuration > Business Admin Menu
Business Admin Menu: Edit Grants edit permission to Configuration > Business Admin Menu
Picklist: Read Grants read-only permission to the Business Admin > Picklist page
Picklist: Edit Grants edit permission to the Business Admin > Picklist page
Tags: Read Grants read-only permission to the Configuration > Document Tags page.
Tags : Edit Grants edit permission to the Configuration > Document Tags page.
User Account Emails: Read Grants read-only permission to the Configuration > User Account Emails page
User Account Emails: Edit Grants edit permission to the Configuration > User Account Emails page
Lifecycle Colors: Read Grants read-only permission to the Configuration > Lifecycle Colors page
Lifecycle Colors: Edit Grants edit permission to the Configuration > Lifecycle Colors page
Searchable Objects: Read Grants read-only permission to the Configuration > Searchable Objects page
Searchable Objects: Edit Grants edit permission to the Configuration > Searchable Objects page
Tabs: Read Grants read-only permission to the Configuration > Tabs page
Tabs: Create Grants the ability to create new tabs in the Configuration > Tabs page
Tabs: Edit Grants the ability to edit existing tabs in the Configuration > Tabs page
Tabs: Delete Grants ability to delete existing tabs in the Configuration > Tabs page
Object Web Actions: Read Grants read-only permission to the Configuration > Object Web Actions page
Object Web Actions: Create Grants ability to create new actions in the Configuration > Object Web Actions page
Object Web Actions: Edit Grants ability to edit existing actions in the Configuration > Object Web Actions page
Object Web Actions: Delete Grants ability to delete actions in the Configuration > Object Web Actions page
Object Lifecycles: Read Grants read-only permission to Configuration > Object Lifecycles, including all sub-pages (lifecycles, states, etc.)
Object Lifecycles: Create Grants ability to create new items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc.
Object Lifecycles: Edit Grants ability to edit existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc.
Object Lifecycles: Delete Grants ability to delete existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc.
Object Workflows: Read Grants read-only permission to Configuration > Object Workflows
Object Workflows: Create Grants ability to create new workflows within Configuration > Object Workflows
Object Workflows: Edit Grants ability to edit existing workflows within Configuration > Object Workflows
Object Workflows: Delete Grants ability to delete existing workflows within Configuration > Object Workflows
Object Messages: Read Grants read-only permission to Configuration > Object Messages
Object Messages: Create Grants ability to create new messages within Configuration > Object Messages
Object Messages: Edit Grants ability to edit existing messages within Configuration > Object Messages
Object Messages: Delete Grants ability to delete existing messages within Configuration > Object Messages
Objects: Read Grants read-only permission to Configuration > Objects
Objects: Create Grants ability to create new objects within Configuration > Objects
Objects: Edit Grants ability to edit existing objects within Configuration > Objects
Objects: Delete Grants ability to delete existing objects within Configuration > Objects
Overlays: Read Grants read-only permission to Business Admin > Overlays
Overlays: Create Grants ability to create new overlay templates within Business Admin > Overlays
Overlays: Edit Grants ability to edit existing overlay templates within Business Admin > Overlays
Report Types: Read Grants read-only permission to Configuration > Report Types
Report Types: Create Grants ability to create new report types within Configuration > Report Types
Report Types: Edit Grants ability to edit existing report types within Configuration > Report Types
Report Types: Delete Grants ability to delete existing report types within Configuration > Report Types
Signature Pages: Read Grants read-only permission to Business Admin > Signature & Cover Pages
Signature Pages: Create Grants ability to create new signature page templates within Business Admin > Signature & Cover Pages
Signature Pages: Edit Grants ability to edit existing signature page templates within Business Admin > Signature & Cover Pages
Signature Pages: Delete Grants ability to delete existing signature page templates within Business Admin > Signature & Cover Pages
Logs: All Audit Grants ability to view all audit histories in Admin > Logs
Logs: System Audit Grants ability to view System Audit History in Admin > Logs
Logs: Login Audit Grants ability to view Login Audit History in Admin > Logs
Logs: Document Audit Grants ability to view Document Audit History in Admin > Logs
Logs: Object Record Audit Grants ability to view Object Record Audit History in Admin > Logs
Logs: Domain Audit Grants ability to view Domain Audit History in Admin > Logs
Logs: Debug Log Grants ability to view Debug Log in Admin > Logs. Note that no more than 20 users per vault can create debug logs. To inquire about Vault Java SDK solutions, contact Veeva Services.
Logs: API Usage Grants ability to view API Usage Logs in Admin > Logs
Vault Java SDK: Read Grants read permission on components using the Vault Java SDK. To inquire about Vault Java SDK solutions, contact Veeva Services.
Vault Java SDK: Create Grants create permission on components using the Vault Java SDK. To inquire about Vault Java SDK solutions, contact Veeva Services.
Vault Java SDK: Edit Grants edit permission on components using the Vault Java SDK.
To inquire about Vault Java SDK solutions, contact Veeva Services.  
Vault Java SDK: Delete Grants delete permission on components using the Vault Java SDK. To inquire about Vault Java SDK solutions, contact Veeva Services.

Domain Administration

Permission Access Details
Domain Administration: All Domain Admin Grants all permissions related to Domain Administration
Domain Administration: All Domain Admin Read Grants read-only permissions to all Domain Administration areas
Domain Administration: Reset All Passwords Grants permission to reset all user passwords.
Domain Information: Read Grants read-only permission to Settings > Domain Information
Domain Information: Edit Grants edit permission to Settings > Domain Information
SSO Settings: Read Grants read-only permission to Settings > SAML Profiles
SSO Settings: Edit Grants edit permission to Settings > SAML Profiles
Security Policies: Read Grants read-only permission to Settings > Security Policies
Security Policies: Create Grants permission to create new security policies in Settings > Security Policies
Security Policies: Edit Grants permission to edit existing security policies in Settings > Security Policies
Network Access Rules: Read Grants read-only permission to Settings > Network Access Rules
Network Access Rules: Create Grants permission to create new network access rules in Settings > Network Access Rules
Network Access Rules: Edit Grants permission to edit existing network access rules in Settings > Network Access Rules
Network Access Rules: Delete Grants permission to delete existing network access rules in Settings > Network Access Rules
Permission Access Details
Operations: All Operations Grants all permissions for job scheduler
Operations: All Operations Read Grants read-only permissions all areas of the Operations tab
Jobs: Read Grants read-only access to Operations > Job Definitions
Jobs: Create Grants ability to create new job definitions
Jobs: Edit Grants ability to edit existing job definitions
Jobs: Delete Grants ability to delete job definitions
Jobs: Interact Grants ability to manage scheduled job instances (start, stop, cancel, etc.)

Security

Permission Access Details
Security: All Security Admin Grants all ‘Security’ permissions; individual permissions are explained below.
Security: All Security Admin Read Grants all ‘Read’ permissions in ‘Security’; individual permissions are explained below.
Security Settings : Read Grants read-only access to Settings > Security Settings
Security Settings : Edit Grants edit access to Settings > Security Settings
Users: Read Grants read-only access to Users & Groups > Users
Users: Create Grants access to create new users or add users from another vault from Users & Groups > Users
Users: Edit Grants access to edit existing users from Users & Groups > Users
Users: Assign Group Grants access to assign users to groups from Users & Groups > Users
Users: Grant Support Login Grants permission to give Vault Support user account access for a specific user from Users & Groups > Users
Users: Delegate Admin Grants permission to give delegate access to another user’s account from Users & Groups > Users
Users : Add Cross-Domain Users Grants permission to add cross-domain users from Users & Groups > Users
Users: Manage User Object Grants ability to create, modify, and add User object records.
Groups: Read Grants read-only access to Users & Groups > Groups
Groups: Create Grants ability to create new groups from Users & Groups > Groups
Groups: Edit Grants ability to edit existing groups from Users & Groups > Groups
Groups: Delete Grants ability to delete existing groups from Users & Groups > Groups
Groups: Assign Users Grants ability to assign users to groups from Users & Groups > Groups
Security Profiles: Read Grants read-only access to Configuration > Security Profiles
Security Profiles: Create Grants ability to create new security profiles from Configuration > Security Profiles
Security Profiles: Edit Grants ability to edit existing security profiles from Configuration > Security Profiles
Security Profiles: Delete Grants ability to delete existing security profiles from Configuration > Security Profiles
Security Profiles: Assign Users Grants ability to assign users to a security profile from Users & Groups > Security Profiles; note that you must also have at least the same permissions as those associated with a security profile to assign users.
Permission Sets: Read Grants read-only access to Configuration > Permission Sets
Permission Sets: Create Grants ability to create new permission sets from Configuration > Security Profiles
Permission Sets: Edit Grants ability to edit existing permission sets from Configuration > Security Profiles
Permission Sets: Delete Grants ability to delete existing permission sets from Configuration > Security Profiles

Settings

Permission Access Details
Settings: All Settings Edit Grants edit permissions for all pages in Admin > Settings
Settings: All Settings Read Grants read-only permission for all pages in Admin > Settings
General Information: Read Grants read-only permission to the Settings > Help Settings page, as well as Vault Information, License Information, and API Information
General Information: Edit Grants edit permission to the Settings > Help Settings page, as well as Vault Information, License Information, and API Information
General Configuration: Read Grants read-only permission to the Settings > General Settings page
General Configuration: Edit Grants edit permission to the Settings > General Settings page
Checkout: Read Grants read-only permission to the Settings > Checkout Settings page
Checkout: Edit Grants edit permission to the Settings > Checkout Settings page
Versioning: Read Grants read-only permission to the Settings > Versioning Settings page
Versioning: Edit Grants edit permission to the Settings > Versioning Settings page
Branding: Read Grants read-only permission to the Settings > Branding Settings page
Branding: Edit Grants edit permission to the Settings > Branding Settings page
Language: Read Grants read-only permission to the Settings > Language Settings page
Language: Edit Grants edit permission to the Settings > Language Settings page
Application: Read Grants read-only permission to the Settings > Application Settings page
Application: Edit Grants edit permission to the Settings > Application Settings page
Renditions: Read Grants read-only permission to the Settings > Rendition Settings page
Renditions: Edit Grants edit permission to the Settings > Rendition Settings page

Deployment

Permission Access Details
Migration Packages: Create Grants ability to create new outbound Configuration Migration Packages from Admin > Deployment
Migration Packages: Deploy Grants ability to deploy Configuration Migration Packages from Admin > Deployment
Environment: Vault Configuration Report Grants ability to run a Vault Configuration Report from Admin > Deployment
Environment: Vault Comparison Grants ability to use Vault Compare from Admin > Deployment

Application Permissions

Access to certain Vault-area functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings in Application tab of the Permission Sets page.

There are three layers of security applied to actions. First, you must have a license type that allows the action. For example, the Read-Only User license type does not allow access to reports. Second, you must have a permission set that grants the correct permission. For example, you would need the Read Dashboards and Reports permission to see any dashboard. Third, for document actions, you must have the correct document role-based permissions. For example, even with a permission set that grants the Bulk Update permission, you would also need the Edit Fields permission on any documents that you’re attempting to update in order to perform a bulk document field edit.

Vault Actions

Permission Access Details
Vault Actions: All Vault Actions Grants all ‘Vault Actions’ permissions; see details for individual permissions below.
Dashboards and Reports: All Grants all ‘Dashboard’ permissions; see details for individual permissions below.
Dashboards and Reports: Read Dashboards and Reports Grants permission to run any reports that other users have shared with you.
Dashboards and Reports: Create Dashboards Grants permission to create new dashboards and to edit any dashboards that you created or to which other users have given you the Editor role.
Dashboards and Reports: Delete Dashboards Grants permission to delete your own dashboards or dashboards to which other users have given you the Editor role.
Dashboards and Reports: Share Dashboards Grants permission to use the Share action on dashboards that you created or to which other users have given you the Editor role.
Dashboards and Reports: Schedule Reports Grants permission to use the Schedule action to schedule flash reports.
Dashboards and Reports: Administer Dashboards Grants permission to view and edit all dashboards, including dashboards created by another user who has not shared them; note that with this permission, a user may share and delete other users’ dashboards.
Workflow: All Workflow Grants all ‘Workflow’ permissions; see details below for individual permissions. Note that this does not include ‘Workflow Administration’ permissions.
Workflow: Start Grants permission to start workflows.
Workflow: Participate Grants permission to participate in workflows.
Workflow: Read and Understand Grants permission to participate in Read & Understood workflows.
Workflow: eSignature Grants permission to provide an eSignature as part of a workflow.
Workflow Administration: All Workflow Admin Grants all ‘Workflow Administration’ permissions; see details below for individual permissions. Note that this does not include ‘Workflow’ permissions.
Workflow Administration: Cancel Grants permission to cancel any workflow that you can see, even if you are not the workflow owner.
Workflow Administration: View Active Grants permission to view all active workflows, including those on which you are not a participant.
Workflow Administration: Reassign Grants permission to reassign workflow tasks that are currently assigned to other users, even if you are not the workflow owner.
Workflow Administration: Add Participant Grants permission to add a participant to a workflow, even if you are not the workflow owner.
Workflow Administration: Update Workflow Dates Grants permission to update all workflow dates or specific task due dates, even if you are not the workflow owner.
API: All API Grants all ‘API’ permissions; see details for individual permissions below.
API: Access API Grants basic permission to complete an API call.
API: Events API Grants access to the Events APIs, used in PromoMats vaults with CLM integration.
API: Metadata API Grants access to metadata APIs.
CrossLink: Create CrossLink Grants ability to create a CrossLink document if this functionality is available on your vault.
Object: Bulk Action Grants the ability to perform bulk object record updates; note that you’ll also need the correct object role-based permissions to update an object record.
User: Allow As A Delegate Grants the permission to allow a user to be selected as a delegate through the Delegated Access feature.
User: View User Information Grants the ability to view the name and identifying information of other users in this vault and to use the Send as Link action. Users without this permission may only see the names and identifying details of other users that share the same email domain. For example, Teresa, whose email is tibanez@veepharm.com can see the user information of all @veepharm.com users, but she can’t see @medi-review.com users.
Audit Trail: View Grants ability to access the Audit Trail option for individual documents and object records through the actions menu; note that you must also have the appropriate role-based permissions to perform this action.
Audit Trail: Export Grants ability to export a document or object record audit trail; note that you must also have the Audit Trail > View permission before you can export.
FTP Staging : Access Grants ability to connect to the FTP staging server and download files extracted using Vault Loader (document source files and renditions). This permission does not grant the ability to upload files to the server or view directories created by other users.
Permission Access Details
Vault Owner Actions: Vault Loader Grants ability to see and use the Loader tab.
All Object Records: All Object Records Actions Grants access to all permissions in ‘All Object Records’; see details for individual permissions below.
All Object Records: All Object Record Read Grants view access to all object records, regardless of the record’s Sharing Settings.
All Object Records: All Object Record Edit Grants edit access (same as Owner role) to all object records, regardless of the record’s Sharing Settings.
All Object Records: All Object Record Delete Grants delete access to all object records, regardless of the record’s Sharing Settings.

Object Permissions

From the Objects tab, you can assign permission to view, create, edit, and delete object records at the object level. For example, a user could have full permissions to Study Site object records, Edit permission to Study records, Read access to Product records, and no access to Country records. From this tab, you can also set up field-level security on objects.

For each object, you can grant or remove the following permissions:

  • Read: Allows you to view records for the object; see details
  • Create: Allows you to create new object record or to copy an existing record; allows you to access Admin > Business Admin. With this permission, Vault automatically grants Edit permission.
  • Edit: Allows you to edit an existing object record, including adding/deleting/versioning attachments; allows you to access Admin > Business Admin
  • Delete: Allows you to delete an existing object record

Granting these permissions for All Objects means that the permission set will automatically include the permissions for any object created in the future.

Dynamic Access Control

Note that Dynamic Access Control interacts with these settings to prevent users from viewing, editing, or deleting specific object records. If an object uses DAC, users must have both the appropriate permission through their security profile and access through the individual object record’s sharing settings. When creating a record, Vault only considers the user’s permission sets.

Tab Permissions

From the Tabs section, you can control what tabs a user can view. All standard and custom tabs can be configured here. If a user has the View permission on All Tabs, they can view newly created tabs by default.

About the Read Permission

Users must have the Read permission on an object to:

  • View a custom object tab
  • View an object tab in Business Admin
  • See object record details in a hover card
  • Select an object record when editing object fields
  • Create a report using a report type that includes the object
  • View results for a report using a report type that includes the object

Users without this permission can still view object record labels throughout Vault. For example, they can still search for documents using object fields for an object they cannot view.

EDC Permissions

EDC application vaults display a fifth section, EDC. This section lists permissions specific to the EDC application. For details, see About EDC Security Profiles.

Permission Access Details
Query: Close Query Grants ability to close a Query.
Query: Open Query Grants ability to open a manual Query.
Query: Answer Query Grants ability to answer open Queries.
Study Tools: Access Grants ability to access the EDC Tools study administration area.

Hidden or Missing Permissions

When you open a permission set, some of the permissions listed above will not appear. If a permission does not appear:

  • The permission is specific to another Vault application or another application family. For example, the permission is specific to RIM and you are in a Clinical vault.
  • The permission is related to a feature that is not enabled on your vault. Sometimes, permissions are hidden when the related feature is not enabled.

Last Updated: