Study Access in Vault CDMS
Vault CDMS leverages the Vault Platform to control user access. In addition to configuring account-level access, User Administrators can manage user access at the Study level.
Role by Study Security
Vault CDMS offers a security model allowing users to have different roles in different studies. This model leverages the Application Role object to define user access at the object level (in this case, the Study object), instead of at the account level. Your Application Role extends your permissions granted by your Security Profile. Together, these make up your Study Role.
You can learn more about dynamic access control here. To see a list of standard Application Roles and their permissions available with the CDMS Role by Study feature, see Managing CDMS Application Roles. See Vault EDC Security Profiles and Vault Coder Security Profiles a list of standard Security Profiles and Permissions Sets.
Once you have an account on a vault, your access is then controlled by your Security Profile. Your Security Profile then grants certain permissions via Permission Sets. If CDMS Role by Study is not enabled in your vault, Permission Sets are the primary method of access control.
Access Control Levels
Access control in Vault CDMS is hierarchical. As permissions move through the levels of access control, the next permission level overwrites the previous. For example, if a Permission Set allows Read permission on the Protocol Deviation object, but then an Application Role removes Read permission on that object, users with that Application Role will not be able to view the Protocol Deviation object, even if their Permission Set allows it.
Access by Study
The permissions granted by a user’s Security Profile apply at the vault-level. Permissions granted by a user’s Application Role apply at the Study level. A single user can have a different role in each different study they have access to. For example, Lateef may have the CDMS Data Manager application role in the Deetoza study, allowing him to perform various data management tasks, but in the Veeofen study, he only has read-only permissions via the CDMS Auditor (Read Only) application role.
To control user access, you must have the Vault Owner (no Application Role required) or the CDMS User Administrator security profile and the User Administrator application role (in vaults where Role by Study is enabled).
- You can create user accounts from Admin > Users & Groups, EDC Tools > Users, or by using Vault Loader.
- You can give users a role on a Study from EDC Tools > Users. See Managing Study User Access in EDC Tools for details.
Migrating from the Original Model to Role by Study
Once Veeva Support enables the CDMS Role by Study feature in your vault, you can migrate your existing Users to the new Security Profiles and Application Roles. You can edit these from Tools > EDC Tools > Users or Admin > Users & Groups. (Note that any cross-domain users must have these changes made in their home domain.)
Application Role Mapping
The table below maps the original Application Roles to their corresponding Role by Study Application Roles.
|Original Application Role||Role by Study Application Role|
|EDC Investigator||CDMS Principal Investigator (Able to provide signatures),
CDMS Sub Investigator (Not able to provide signatures)
|EDC Reviewer||CDMS Auditor (Read Only)|
|EDC Clinical Research Coordinator||CDMS Clinical Research Coordinator|
|EDC CRA, EDC Lead CRA||CDMS Clinical Research Associate|
|EDC Data Manager||CDMS Data Manager|
|EDC Lead Data Manager||CDMS Lead Data Manager|
|EDC Clinical Coder||CDMS Clinical Coder|
|N/A||CDMS Clinical Coder Administrator (New with Role by Study)|
|N/A||CDMS Study Designer (New with Role by Study)|
|N/A||CDMS User Administrator (New with Role by Study)|
Learn more about CDMS Study Roles.