About Permission Sets
In Vault, permission sets are a way to group permissions together. Security profiles then use the permission sets to grant or restrict users’ access to certain features, particularly system administration functions such as user management or object record creation. For example, the permission sets applied to the IT Administrator security profile allow users with that profile to manage users and groups, but not studies and sites.
Accessing Permission Set Configuration
To configure permission sets, you must have the Admin: Permission Sets: Read, Create, Edit, Delete permissions.
With the right access, you can manage permission sets from Admin* > Users & Groups > Permission Sets.
You can only grant permissions that you also have. For example, if you do not have any of the Vault Owner Actions section permissions, you cannot turn those permissions on when editing a permission set.
About ‘All’ Permissions
Throughout the permission sets configuration, there are permissions like All Configuration and All Audit. Granting these permissions gives users all permissions under them. However, this functions differently from simply selecting each sub-permission. If a future release of Vault adds new permissions to an area, permission sets with the ‘All’ permission will automatically select those new permissions.
About Permission Dependencies
Granting certain permissions automatically grants additional permissions. When editing, these dependent permissions will be greyed out as long as their controlling permission is selected.
For example, when you grant the Web Actions: Delete permission, you automatically grant the Web Actions: Edit permission.
Admin Permissions
Access to administrator-type functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings in the Admin tab of the Permission Sets page.
Note that in addition to license type, security profile, and permission set, some access is controlled by the Domain Admin user setting.
Configuration
| Permission | Access Details |
|---|---|
| Configuration: All Configuration | Grants all ‘Configuration’ permissions; individual permissions are explained below. |
| Configuration: All Configuration Read | Grants all ‘Read’ permissions in ‘Configuration’; individual permissions are explained below. |
| Email Settings: Read | Grants read-only permission to the Configuration > Email Settings page |
| Email Settings: Edit | Grants edit permission to the Configuration > Email Settings page |
| Login Message: Read | Grants read-only permission to the Configuration > Login Message page |
| Login Message: Edit | Grants edit permission to the Configuration > Login Message page |
| Business Admin Menu: Read | Grants read-only permission to Configuration > Business Admin Menu |
| Business Admin Menu: Edit | Grants edit permission to Configuration > Business Admin Menu |
| Picklist: Read | Grants read-only permission to the Business Admin > Picklist page |
| Picklist: Edit | Grants edit permission to the Business Admin > Picklist page |
| Tags: Read | Grants read-only permission to the Configuration > Document Tags page. |
| Tags : Edit | Grants edit permission to the Configuration > Document Tags page. |
| User Account Emails: Read | Grants read-only permission to the Configuration > User Account Emails page |
| User Account Emails: Edit | Grants edit permission to the Configuration > User Account Emails page |
| Lifecycle Colors: Read | Grants read-only permission to the Configuration > Lifecycle Colors page |
| Lifecycle Colors: Edit | Grants edit permission to the Configuration > Lifecycle Colors page |
| Searchable Objects: Read | Grants read-only permission to the Configuration > Searchable Objects page |
| Searchable Objects: Edit | Grants edit permission to the Configuration > Searchable Objects page |
| Tabs: Read | Grants read-only permission to the Configuration > Tabs page |
| Tabs: Create | Grants the ability to create new tabs in the Configuration > Tabs page |
| Tabs: Edit | Grants the ability to edit existing tabs in the Configuration > Tabs page |
| Tabs: Delete | Grants ability to delete existing tabs in the Configuration > Tabs page |
| Object Web Actions: Read | Grants read-only permission to the Configuration > Object Web Actions page |
| Object Web Actions: Create | Grants ability to create new actions in the Configuration > Object Web Actions page |
| Object Web Actions: Edit | Grants ability to edit existing actions in the Configuration > Object Web Actions page |
| Object Web Actions: Delete | Grants ability to delete actions in the Configuration > Object Web Actions page |
| Object Lifecycles: Read | Grants read-only permission to Configuration > Object Lifecycles, including all sub-pages (lifecycles, states, etc.) |
| Object Lifecycles: Create | Grants ability to create new items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc. |
| Object Lifecycles: Edit | Grants ability to edit existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc. |
| Object Lifecycles: Delete | Grants ability to delete existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc. |
| Object Workflows: Read | Grants read-only permission to Configuration > Object Workflows |
| Object Workflows: Create | Grants ability to create new workflows within Configuration > Object Workflows |
| Object Workflows: Edit | Grants ability to edit existing workflows within Configuration > Object Workflows |
| Object Workflows: Delete | Grants ability to delete existing workflows within Configuration > Object Workflows |
| Object Messages: Read | Grants read-only permission to Configuration > Object Messages |
| Object Messages: Create | Grants ability to create new messages within Configuration > Object Messages |
| Object Messages: Edit | Grants ability to edit existing messages within Configuration > Object Messages |
| Object Messages: Delete | Grants ability to delete existing messages within Configuration > Object Messages |
| Objects: Read | Grants read-only permission to Configuration > Objects |
| Objects: Create | Grants ability to create new objects within Configuration > Objects |
| Objects: Edit | Grants ability to edit existing objects within Configuration > Objects |
| Objects: Delete | Grants ability to delete existing objects within Configuration > Objects |
| Overlays: Read | Grants read-only permission to Business Admin > Overlays |
| Overlays: Create | Grants ability to create new overlay templates within Business Admin > Overlays |
| Overlays: Edit | Grants ability to edit existing overlay templates within Business Admin > Overlays |
| Report Types: Read | Grants read-only permission to Configuration > Report Types |
| Report Types: Create | Grants ability to create new report types within Configuration > Report Types |
| Report Types: Edit | Grants ability to edit existing report types within Configuration > Report Types |
| Report Types: Delete | Grants ability to delete existing report types within Configuration > Report Types |
| Signature Pages: Read | Grants read-only permission to Business Admin > Signature & Cover Pages |
| Signature Pages: Create | Grants ability to create new signature page templates within Business Admin > Signature & Cover Pages |
| Signature Pages: Edit | Grants ability to edit existing signature page templates within Business Admin > Signature & Cover Pages |
| Signature Pages: Delete | Grants ability to delete existing signature page templates within Business Admin > Signature & Cover Pages |
| Logs: All Audit | Grants ability to view all audit histories in Admin > Logs |
| Logs: System Audit | Grants ability to view System Audit History in Admin > Logs |
| Logs: Login Audit | Grants ability to view Login Audit History in Admin > Logs |
| Logs: Document Audit | Grants ability to view Document Audit History in Admin > Logs |
| Logs: Object Record Audit | Grants ability to view Object Record Audit History in Admin > Logs |
| Logs: Domain Audit | Grants ability to view Domain Audit History in Admin > Logs |
| Logs: Debug Log | Grants ability to view Debug Log in Admin > Logs. Note that no more than 20 users per vault can create debug logs. To inquire about Vault Java SDK solutions, contact Veeva Services. |
| Logs: API Usage | Grants ability to view API Usage Logs in Admin > Logs |
| Vault Java SDK: Read | Grants read permission on components using the Vault Java SDK. To inquire about Vault Java SDK solutions, contact Veeva Services. |
| Vault Java SDK: Create | Grants create permission on components using the Vault Java SDK. To inquire about Vault Java SDK solutions, contact Veeva Services. |
| Vault Java SDK: Edit | Grants edit permission on components using the Vault Java SDK. |
| To inquire about Vault Java SDK solutions, contact Veeva Services. | |
| Vault Java SDK: Delete | Grants delete permission on components using the Vault Java SDK. To inquire about Vault Java SDK solutions, contact Veeva Services. |
Domain Administration
Give careful consideration when granting the permissions below, as these allow control over all vaults in a multi-vault domain. Note that users must have the Domain Admin setting in addition to these permissions.
| Permission | Access Details |
|---|---|
| Domain Administration: All Domain Admin | Grants all permissions related to Domain Administration |
| Domain Administration: All Domain Admin Read | Grants read-only permissions to all Domain Administration areas |
| Domain Administration: Reset All Passwords | Grants permission to reset all user passwords. |
| Domain Information: Read | Grants read-only permission to Settings > Domain Information |
| Domain Information: Edit | Grants edit permission to Settings > Domain Information |
| SSO Settings: Read | Grants read-only permission to Settings > SAML Profiles |
| SSO Settings: Edit | Grants edit permission to Settings > SAML Profiles |
| Security Policies: Read | Grants read-only permission to Settings > Security Policies |
| Security Policies: Create | Grants permission to create new security policies in Settings > Security Policies |
| Security Policies: Edit | Grants permission to edit existing security policies in Settings > Security Policies |
| Network Access Rules: Read | Grants read-only permission to Settings > Network Access Rules |
| Network Access Rules: Create | Grants permission to create new network access rules in Settings > Network Access Rules |
| Network Access Rules: Edit | Grants permission to edit existing network access rules in Settings > Network Access Rules |
| Network Access Rules: Delete | Grants permission to delete existing network access rules in Settings > Network Access Rules |
| Permission | Access Details |
| Operations: All Operations | Grants all permissions for job scheduler |
| Operations: All Operations Read | Grants read-only permissions all areas of the Operations tab |
| Jobs: Read | Grants read-only access to Operations > Job Definitions |
| Jobs: Create | Grants ability to create new job definitions |
| Jobs: Edit | Grants ability to edit existing job definitions |
| Jobs: Delete | Grants ability to delete job definitions |
| Jobs: Interact | Grants ability to manage scheduled job instances (start, stop, cancel, etc.) |
Security
| Permission | Access Details |
|---|---|
| Security: All Security Admin | Grants all ‘Security’ permissions; individual permissions are explained below. |
| Security: All Security Admin Read | Grants all ‘Read’ permissions in ‘Security’; individual permissions are explained below. |
| Security Settings : Read | Grants read-only access to Settings > Security Settings |
| Security Settings : Edit | Grants edit access to Settings > Security Settings |
| Users: Read | Grants read-only access to Users & Groups > Users |
| Users: Create | Grants access to create new users or add users from another vault from Users & Groups > Users |
| Users: Edit | Grants access to edit existing users from Users & Groups > Users |
| Users: Assign Group | Grants access to assign users to groups from Users & Groups > Users |
| Users: Grant Support Login | Grants permission to give Vault Support user account access for a specific user from Users & Groups > Users |
| Users: Delegate Admin | Grants permission to give delegate access to another user’s account from Users & Groups > Users |
| Users : Add Cross-Domain Users | Grants permission to add cross-domain users from Users & Groups > Users |
| Users: Manage User Object | Grants ability to create, modify, and add User object records. |
| Groups: Read | Grants read-only access to Users & Groups > Groups |
| Groups: Create | Grants ability to create new groups from Users & Groups > Groups |
| Groups: Edit | Grants ability to edit existing groups from Users & Groups > Groups |
| Groups: Delete | Grants ability to delete existing groups from Users & Groups > Groups |
| Groups: Assign Users | Grants ability to assign users to groups from Users & Groups > Groups |
| Security Profiles: Read | Grants read-only access to Configuration > Security Profiles |
| Security Profiles: Create | Grants ability to create new security profiles from Configuration > Security Profiles |
| Security Profiles: Edit | Grants ability to edit existing security profiles from Configuration > Security Profiles |
| Security Profiles: Delete | Grants ability to delete existing security profiles from Configuration > Security Profiles |
| Security Profiles: Assign Users | Grants ability to assign users to a security profile from Users & Groups > Security Profiles; note that you must also have at least the same permissions as those associated with a security profile to assign users. |
| Permission Sets: Read | Grants read-only access to Configuration > Permission Sets |
| Permission Sets: Create | Grants ability to create new permission sets from Configuration > Security Profiles |
| Permission Sets: Edit | Grants ability to edit existing permission sets from Configuration > Security Profiles |
| Permission Sets: Delete | Grants ability to delete existing permission sets from Configuration > Security Profiles |
Settings
| Permission | Access Details |
|---|---|
| Settings: All Settings Edit | Grants edit permissions for all pages in Admin > Settings |
| Settings: All Settings Read | Grants read-only permission for all pages in Admin > Settings |
| General Information: Read | Grants read-only permission to the Settings > Help Settings page, as well as Vault Information, License Information, and API Information |
| General Information: Edit | Grants edit permission to the Settings > Help Settings page, as well as Vault Information, License Information, and API Information |
| General Configuration: Read | Grants read-only permission to the Settings > General Settings page |
| General Configuration: Edit | Grants edit permission to the Settings > General Settings page |
| Checkout: Read | Grants read-only permission to the Settings > Checkout Settings page |
| Checkout: Edit | Grants edit permission to the Settings > Checkout Settings page |
| Versioning: Read | Grants read-only permission to the Settings > Versioning Settings page |
| Versioning: Edit | Grants edit permission to the Settings > Versioning Settings page |
| Branding: Read | Grants read-only permission to the Settings > Branding Settings page |
| Branding: Edit | Grants edit permission to the Settings > Branding Settings page |
| Language: Read | Grants read-only permission to the Settings > Language Settings page |
| Language: Edit | Grants edit permission to the Settings > Language Settings page |
| Application: Read | Grants read-only permission to the Settings > Application Settings page |
| Application: Edit | Grants edit permission to the Settings > Application Settings page |
| Renditions: Read | Grants read-only permission to the Settings > Rendition Settings page |
| Renditions: Edit | Grants edit permission to the Settings > Rendition Settings page |
Deployment
| Permission | Access Details |
|---|---|
| Migration Packages: Create | Grants ability to create new outbound Configuration Migration Packages from Admin > Deployment |
| Migration Packages: Deploy | Grants ability to deploy Configuration Migration Packages from Admin > Deployment |
| Environment: Vault Configuration Report | Grants ability to run a Vault Configuration Report from Admin > Deployment |
| Environment: Vault Comparison | Grants ability to use Vault Compare from Admin > Deployment |
Application Permissions
Access to certain Vault-area functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings in Application tab of the Permission Sets page.
There are three layers of security applied to actions. First, you must have a license type that allows the action. For example, the Read-Only User license type does not allow access to reports. Second, you must have a permission set that grants the correct permission. For example, you would need the Read Dashboards and Reports permission to see any dashboard. Third, for document actions, you must have the correct document role-based permissions. For example, even with a permission set that grants the Bulk Update permission, you would also need the Edit Fields permission on any documents that you’re attempting to update in order to perform a bulk document field edit.
Vault Actions
| Permission | Access Details |
|---|---|
| Vault Actions: All Vault Actions | Grants all ‘Vault Actions’ permissions; see details for individual permissions below. |
| Dashboards and Reports: All | Grants all ‘Dashboard’ permissions; see details for individual permissions below. |
| Dashboards and Reports: Read Dashboards and Reports | Grants permission to run any reports that other users have shared with you. |
| Dashboards and Reports: Create Dashboards | Grants permission to create new dashboards and to edit any dashboards that you created or to which other users have given you the Editor role. |
| Dashboards and Reports: Delete Dashboards | Grants permission to delete your own dashboards or dashboards to which other users have given you the Editor role. |
| Dashboards and Reports: Share Dashboards | Grants permission to use the Share action on dashboards that you created or to which other users have given you the Editor role. |
| Dashboards and Reports: Schedule Reports | Grants permission to use the Schedule action to schedule flash reports. |
| Dashboards and Reports: Administer Dashboards | Grants permission to view and edit all dashboards, including dashboards created by another user who has not shared them; note that with this permission, a user may share and delete other users’ dashboards. |
| Workflow: All Workflow | Grants all ‘Workflow’ permissions; see details below for individual permissions. Note that this does not include ‘Workflow Administration’ permissions. |
| Workflow: Start | Grants permission to start workflows. |
| Workflow: Participate | Grants permission to participate in workflows. |
| Workflow: Read and Understand | Grants permission to participate in Read & Understood workflows. |
| Workflow: eSignature | Grants permission to provide an eSignature as part of a workflow. |
| Workflow Administration: All Workflow Admin | Grants all ‘Workflow Administration’ permissions; see details below for individual permissions. Note that this does not include ‘Workflow’ permissions. |
| Workflow Administration: Cancel | Grants permission to cancel any workflow that you can see, even if you are not the workflow owner. |
| Workflow Administration: View Active | Grants permission to view all active workflows, including those on which you are not a participant. |
| Workflow Administration: Reassign | Grants permission to reassign workflow tasks that are currently assigned to other users, even if you are not the workflow owner. |
| Workflow Administration: Add Participant | Grants permission to add a participant to a workflow, even if you are not the workflow owner. |
| Workflow Administration: Update Workflow Dates | Grants permission to update all workflow dates or specific task due dates, even if you are not the workflow owner. |
| API: All API | Grants all ‘API’ permissions; see details for individual permissions below. |
| API: Access API | Grants basic permission to complete an API call. |
| API: Events API | Grants access to the Events APIs, used in PromoMats vaults with CLM integration. |
| API: Metadata API | Grants access to metadata APIs. |
| CrossLink: Create CrossLink | Grants ability to create a CrossLink document if this functionality is available on your vault. |
| Object: Bulk Action | Grants the ability to perform bulk object record updates; note that you’ll also need the correct object role-based permissions to update an object record. |
| User: Allow As A Delegate | Grants the permission to allow a user to be selected as a delegate through the Delegated Access feature. |
| User: View User Information | Grants the ability to view the name and identifying information of other users in this vault and to use the Send as Link action. Users without this permission may only see the names and identifying details of other users that share the same email domain. For example, Teresa, whose email is tibanez@veepharm.com can see the user information of all @veepharm.com users, but she can’t see @medi-review.com users. |
| Audit Trail: View | Grants ability to access the Audit Trail option for individual documents and object records through the actions menu; note that you must also have the appropriate role-based permissions to perform this action. |
| Audit Trail: Export | Grants ability to export a document or object record audit trail; note that you must also have the Audit Trail > View permission before you can export. |
| FTP Staging : Access | Grants ability to connect to the FTP staging server and download files extracted using Vault Loader (document source files and renditions). This permission does not grant the ability to upload files to the server or view directories created by other users. |
| Permission | Access Details |
| Vault Owner Actions: Vault Loader | Grants ability to see and use the Loader tab. |
| All Object Records: All Object Records Actions | Grants access to all permissions in ‘All Object Records’; see details for individual permissions below. |
| All Object Records: All Object Record Read | Grants view access to all object records, regardless of the record’s Sharing Settings. |
| All Object Records: All Object Record Edit | Grants edit access (same as Owner role) to all object records, regardless of the record’s Sharing Settings. |
| All Object Records: All Object Record Delete | Grants delete access to all object records, regardless of the record’s Sharing Settings. |
Object Permissions
From the Objects tab, you can assign permission to view, create, edit, and delete object records at the object level. For example, a user could have full permissions to Study Site object records, Edit permission to Study records, Read access to Product records, and no access to Country records. From this tab, you can also set up field-level security on objects.
For each object, you can grant or remove the following permissions:
- Read: Allows you to view records for the object; see details
- Create: Allows you to create new object record or to copy an existing record; allows you to access Admin > Business Admin. With this permission, Vault automatically grants Edit permission.
- Edit: Allows you to edit an existing object record, including adding/deleting/versioning attachments; allows you to access Admin > Business Admin
- Delete: Allows you to delete an existing object record
Granting these permissions for All Objects means that the permission set will automatically include the permissions for any object created in the future.
Dynamic Access Control
Note that Dynamic Access Control interacts with these settings to prevent users from viewing, editing, or deleting specific object records. If an object uses DAC, users must have both the appropriate permission through their security profile and access through the individual object record’s sharing settings. When creating a record, Vault only considers the user’s permission sets.
Tab Permissions
From the Tabs section, you can control what tabs a user can view. All standard and custom tabs can be configured here. If a user has the View permission on All Tabs, they can view newly created tabs by default.
About the Read Permission
Users must have the Read permission on an object to:
- View a custom object tab
- View an object tab in Business Admin
- See object record details in a hover card
- Select an object record when editing object fields
- Create a report using a report type that includes the object
- View results for a report using a report type that includes the object
Users without this permission can still view object record labels throughout Vault. For example, they can still search for documents using object fields for an object they cannot view.
EDC Permissions
EDC application vaults display a fifth section, EDC. This section lists permissions specific to the EDC application. For details, see About EDC Security Profiles.
| Permission | Access Details |
|---|---|
| Query: Close Query | Grants ability to close a Query. |
| Query: Open Query | Grants ability to open a manual Query. |
| Query: Answer Query | Grants ability to answer open Queries. |
| Study Tools: Access | Grants ability to access the EDC Tools study administration area. |
Hidden or Missing Permissions
When you open a permission set, some of the permissions listed above will not appear. If a permission does not appear:
- The permission is specific to another Vault application or another application family. For example, the permission is specific to RIM and you are in a Clinical vault.
- The permission is related to a feature that is not enabled on your vault. Sometimes, permissions are hidden when the related feature is not enabled.
Last Updated: