About License Types & Security Profiles


In Vault, each user has an assigned license type and security profile. Each security profile has one or more permission sets. The license type is the first level of access control that vault applies to a user. Permission sets, applied through the user’s security profile, are the second level of access control. Both the license type and permission set must grant access to a user in order for that user to access the functionality. Other access control for a user is based on Dynamic Access Control settings for individual object records.

Admins must have a permission set that grants the Admin: Users: Edit permission to change a user’s license type or security profile. 

License Types

Vault includes the following license types:

  • Full Users are the most common license type. Their license type does not block access to any functionality; these may be regular users or administrators. This is the only license type that allows a user to access Admin functionality.
  • Read-only Users have extremely limited access; these users can only view documents (including annotations), download documents, and participate in Read & Understood workflows. They cannot receive notifications unless the notifications are sent through a non-Read & Understood workflow. They cannot access reports or dashboards.
  • External Users are users outside your company who have slightly limited access; these users have most functionality, but cannot use reports, use dashboards, or perform bulk actions. Note that the domain in the user’s email address cannot match the vault’s licensing domain.

Application License Types

Some vaults use multiple applications, for example, a CDMS vault with EDC and Coder. In these vaults, users have an Application License Type for each application they can access in addition to their License Type. Application License Type lets the system track available licenses at the application level but does not control a user’s access in the vault. A single user assigned to three (3) applications will use three licenses, not one (1).

When assigning the Application License Type for a user, you cannot select a type with greater permissions than those granted by the selected License Type.

License Type Available Application License Types
Full User Full User, External User, Read Only User
External User External User, Read Only User
Read Only User Read Only User

Security Profiles

Security profiles are how Vault applies permission sets to individual users. Each profile has one or more associated permission sets.

Standard Security Profiles & Permission Sets

Vault includes several standard security profiles and associated permission sets. Each of these corresponds to a Vault user type from the previous releases and grants the same access as the user type. These are not editable, but Admins may disable them if needed.

There are several other standard security profiles (listed below) available in your vault as part of the Vault Platform. We recommend that you only use the security profiles listed for each application (EDC and Coder) or custom security profiles, as these standard profiles may not have functional access to EDC and Coder.

Security Profile Permission Set Description
Security Profile Permission Set Description
Document User Full User Actions This profile grants full non-administrator application access (reports, workflows, etc.), but does not grant access to the Admin area or to administrator actions (bulk update, merge anchors, create CrossLinks, etc.) in the Vault area.
Read-Only User Read-Only User Actions Permissions for this profile align with the Read-only Users license type access.
External User External User Actions Permissions for this profile align with the External User license type access.
Business Administrator Business Administrator Actions This profile grants “read” access to most parts of the Admin area, edit access to some areas (create/edit/delete overlays, assign users to groups, etc.), and full access to all object records. The profile provides access many of the administrator actions in the Vault area (bulk update, merge anchors, create CrossLinks, etc.), but prevents access to some actions (cancel checkout, make saved views mandatory, “Vault Owner Actions,” etc).
System Administrator System Administrator Actions This profile grants “read” access to all of the Admin area, edit access to all areas except Security Settings, and full access to all object records. The profile provides access to all of the administrator actions in the Vault area except those under “Vault Owner Actions” (All Document Read, Power Delete, etc.).
Vault Owner Vault Owner Actions This profile grants edit access to all of the Admin area (including domain settings) and full access to all object records. (Note that users must also have the Domain Admin user profile setting to manage domain settings.) The profile provides access to all of the administrator actions in the Vault area including those under “Vault Owner Actions” (All Document Read, Power Delete, etc.).
Legal User Legal Actions This profile grants read, create, edit, and delete permission to records in the Legal Hold object. Users with this profile can apply and remove legal holds on documents. Users with this profile must have document role permissions to perform Legal Actions.
Document User Full User Actions This profile grants full non-administrator application access (reports, workflows, etc.), but does not grant access to the Admin area or to administrator actions (bulk update, merge anchors, create CrossLinks, etc.) in the Vault area.
Read-Only User Read-Only User Actions Permissions for this profile align with the Read-only Users license type access.
External User External User Actions Permissions for this profile align with the External User license type access.
Business Administrator Business Administrator Actions This profile grants “read” access to most parts of the Admin area, edit access to some areas (create/edit/delete overlays, assign users to groups, etc.), and full access to all object records. The profile provides access many of the administrator actions in the Vault area (bulk update, merge anchors, create CrossLinks, etc.), but prevents access to some actions (cancel checkout, make saved views mandatory, “Vault Owner Actions,” etc).
System Administrator System Administrator Actions This profile grants “read” access to all of the Admin area, edit access to all areas except Security Settings, and full access to all object records. The profile provides access to all of the administrator actions in the Vault area except those under “Vault Owner Actions” (All Document Read, Power Delete, etc.).
Vault Owner Vault Owner Actions This profile grants edit access to all of the Admin area (including domain settings) and full access to all object records. (Note that users must also have the Domain Admin user profile setting to manage domain settings.) The profile provides access to all of the administrator actions in the Vault area including those under “Vault Owner Actions” (All Document Read, Power Delete, etc.).
Legal User Legal Actions This profile grants read, create, edit, and delete permission to records in the Legal Hold object. Users with this profile can apply and remove legal holds on documents. Users with this profile must have document role permissions to perform Legal Actions.