Manage Case Access Group Security

Learn how to manage Access Groups that control team members’ ability to view and edit Inbox Items and Cases, as well as unblinded information.

About Case Access Group Security

With Case Access Group Security, you assign individuals to groups and roles and have granular control over security for unblinded and personally identifiable information (PII). For each Access Group, you set up which Inbox Items and Cases are visible to the group based on such factors as region, report type, market segment, country, and organization. Users are then given a role on each group as applicable.

Some example use cases are creating Access Groups based on the following:

Origin of the Case, for example, EMA, MHRA, Partner
Product Type, for example, Cosmetics, Drugs
Lifecycle state, for example, users with access to specific Domestic and Localized Cases can only see Global Cases in the Approved state

For managing sensitive information, Case Access Group Security enables hiding only the fields that contain unblinded information and letting all other fields be viewable and editable. This is useful in such situations as follows:

Surfacing Case Product data when doing so would not harm the integrity of the Study (for example, Concomitant or Standard of Care products)
Allowing some team members to see and edit non-sensitive fields on blinded Products, while sensitive fields (such as Product, Lot Number) remain protected
Allowing some team members to see and edit all fields on non-Study Products with a Drug Role of Concomitant or External

To ensure Case Access Groups provide the simplest and most effective security solutions, contact Veeva Managed Services for a consultation.

Note: When using Case Access Groups, you cannot assign roles as part of a workflow. Strict Inbox Item Locking or Strict Case Locking should be used instead.

Prerequisites

Consider the following prerequisites for setting up Case Access Groups:

You have consulted with Veeva Managed Services about your needs and received their recommendations for Case Access Group setup.
Your Admin must have enabled Case Access Group Security.

How Vault Matches Cases to Case Access Groups

For Inbox Items and Cases, Vault grants access to the Case Access Group that is the most specific match, based on the following criteria:

Sponsor
Country
Report Type
Study Type
Study
Origin
Intake Method and Format
Market Segment

For criteria that your organization doesn’t need to match against, leave those fields blank. Vault considers blank values to mean “Any” when matching. The result is that you can set up fewer Case Access Group Assignment Rules.

Note: To match based on Intake Type, both the Intake Format and Intake Method fields must be populated.

If you have configured your Vault to display Inbound Transmission records on Inbox Items and Cases and enabled the Case Access Group and Case Access Group Assignment Reason fields on the record, they provide details on which Case Access Group was assigned to a Case and why.

Case Access Group Examples

See the following diagrams that illustrate Vault’s selection of the most specific Case Access Group.

CASE 000001

CASE 000002

Case Access Group Assignment Fields

The following table shows how Vault matches the fields on the Case Access Group Assignment record to the fields on the Inbox Item and Case.

Case Access Group Assignment Field	Inbox Item	Case
Sponsor (`sponsor__v`)	Organization (`organization__v`)	Organization (`organization__v`)
Report Type (`report_type__v`)	Report Type (`report_type__v`)	Report Type (`report_type__v`)
Country (`country__v`)	Country (`country__v`)	Reporter Country (`reporter_country__v`) If the Reporter Country field is blank, Vault matches to Event Country (`event_country__v`)
Study (`study__v`)	Study (`study__v`)	Study (`study__v`)
Study Type (`study_type__v`)	(`study__v.study_type__v`)	Study Type (`study_product_reason__v`)
Origin (`origin__v`)	(`inbound_transmission.origin__v`)	(`inbound_transmission.origin__v`)
Intake Format (`intake_format__v`)	Intake Format (`intake_format__v`)	Intake Format (`intake_format__v`)
Intake Method (`intake_method__v`)	Intake Method (`intake_method__v`)	Intake Method (`intake_method__v`)
Market Segment (`market_segment__v`)	Market Segment (`market_segment__v`)	Market Segment (`market_segment__v`)

Application Roles and Case Access Group Security

While each user is assigned an application role to control their access to Case-related data and workflows at an organization level, with Case Access Groups you can control access to personally identifiable information (PII) and unblinded information at the object and field levels.

For each Case Access Group a team member is assigned to, you specify their application role within that group. When they are processing Cases for the associated Access Group, that application role determines their role on the Case. This enables you, for example, to give a Case Processor the ability to view unblinded information for some product types and sponsors, when they do not have access to view that information at the organization level. Follow your organization’s process when assigning roles.

Note: When assigning access to Case Product Registration values, Vault considers the user’s role across both Global and Localized Cases and grants the more permissive role. For example, if the user has the Editor role on Localized Cases and the Viewer role on Global Cases, they will have the Editor role on Case Product Registration values.

Vault Safety maps the user’s application role from the parent record to all child records. This means, for example, that if a user is a Viewer on a Case, they will also be a Viewer on all of the Case child records. Their access to PII and unblinded information is also mapped to the child records.

System-managed roles for Case Access Groups include the following:

Viewer
Editor
PII Unmasked
Study Unmasked

Note: Assigning users to the appropriate role is part of the consultation with Veeva Managed Services.

System-Provided Case Access Groups

We recommend assigning team members to your organization’s custom Case Access Groups. However, Vault Safety also includes system-provided groups. The following table describes the default Case Access Groups, along with their access, benefits, and limitations.

Case Access Group	Access	Benefit	Limitation
General Access Group	Inbox Items and Cases assigned to the General Access Group and with no Case Access Group assignment are visible to members of this group.	This may be beneficial for organizations where all users have access to all Cases.	Cases accessible to this group may be difficult to predict. We recommend against using this group for team members who should have limited access to Inbox Items and Cases. This includes, for example, Sponsor users in a Contract Research Organization (CRO) Vault.
All Access Group	All Inbox Items and Cases are visible to members of this group. Cases are never assigned to this Case Access Group.	Available for senior staff who should have access to all Inbox Items and Cases.	We recommend against using this group for CROs, since it could result in an individual accessing Cases across all Sponsors.

Case Access Group

Access

Benefit

Limitation

General Access Group

Inbox Items and Cases assigned to the General Access Group and with no Case Access Group assignment are visible to members of this group.

This may be beneficial for organizations where all users have access to all Cases.

Cases accessible to this group may be difficult to predict.

We recommend against using this group for team members who should have limited access to Inbox Items and Cases. This includes, for example, Sponsor users in a Contract Research Organization (CRO) Vault.

All Access Group

All Inbox Items and Cases are visible to members of this group. Cases are never assigned to this Case Access Group.

Available for senior staff who should have access to all Inbox Items and Cases.

We recommend against using this group for CROs, since it could result in an individual accessing Cases across all Sponsors.

Add Case Access Groups

Complete the following steps to add Case Access Groups:

Go to Business Admin > Objects > Case Access Groups.
Select Create.
In the Details section, enter a Group Name and API Name.
Select Save.

Create Case Assignment Rules

Within a Case Access Group, you can create as many Case Assignment Rules as required. We recommend using the simplest configurations whenever possible.

Sponsor is the only required field on a Case Assignment Rules record.

In the selected Case Access Group, in the Case Assignment Rules section, select Create.
Complete the Create Case Access Group Assignment fields.
Select Save.

Field	Description
Access Group	This is populated by Vault based on the associated Case Access Group.
Sponsor	Select the Organization for Inbox Items and Cases that will be accessible to the selected Case Access Group.
Report Type	(Optional) Select a Report Type from the picklist.
Country	(Optional) Select a Country from the picklist.
Origin	(Optional) Select the sending organization for a given case. For example, select EMA to limit the Case Access Group to Cases downloaded from EudraVigilance.
Intake Format	(Optional) Select an intake format from the picklist. Note: When using Intake Format as a matching criteria, the Intake Method field must also be used.
Intake Method	(Optional) Select an intake method from the picklist. Note: When using Intake Method as a matching criteria, the Intake Format field must also be used.
Study Type	(Optional) Select a Study Type from the picklist.
Study	(Optional) Select a Study from the dropdown list.
Market Segment	(Optional) Select the Market Segment associated with the Study for Study Cases or the primary Product for postmarket Cases.

Create User Access Group Assignments

Within a Case Access Group, you can assign as many users to the Access Group as required. You can also set up a single user with multiple roles by creating multiple User Access Group Assignment records.

In the selected Case Access Group, in the User Access Group Assignment section, select Create.
Complete the Create User Access Group Assignment fields.
Select Save.

Field	Description
User	Select a user from the dropdown list.
Role	Select the applicable Role for the user on Cases within the selected Case Access Group. Users with multiple roles will require multiple User Access Group Assignment records.
User Blinded	Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access	Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization	Select the Localization for the user on Cases within the Case Access Group. Consider the following when completing this field: Entering a specific Localization will give the user complete access to all Cases in that Localization and read-only access to all Inbox Items and Global Cases. Entering "Global" will give the user complete access to all Global and Localized Cases. Leaving the field blank will not give the user access to any Localized Cases, but they will have complete access to all Inbox Items and Global Cases.
Country	Select a country from the picklist.
Subject Information Review	Select whether the user should have access to subject information for Cases with SAEs received from the Safety-EDC Vault Connection.

User Access to Transmissions

The Localization setting on User Access Group Assignments controls user access to Inbound Transmission and Transmission records.

To grant access to Inbound Transmission records, the user’s User Access Group Assignment Localization setting must match the Localization field of the Case linked on the Inbound Transmission record. If no Case exists, Vault Safety considers the Localization field of the associated Inbox Item.

To grant access to Transmission records, the user’s User Access Group Assignment Localization setting must match the Localization field of the Localized Case linked on the Transmission record.

Manage Case Assignment Teams

In scenarios where the Case volume demands more management and Case processing effort, Case Assignment Teams can be used.

A Case Assignment Team consists of a group of users, typically with a team leader, that manages a subset of Cases. The subset can be based on certain Case types (for example, Study Cases), Country, or localization-specific Cases. Or, it can simply be a division of volume. You can add multiple Case Assignment Teams to a Case Access Group.

Once a Case Access Group is set on the Case, a user can then select a Case Assignment Team within this access group, after considering the Intake or Case Processing task. Edit access to the Case Assignment Team field can be restricted with field permissions.

Afterwards, there are two (2) assignment options:

Team Assignment: The team leader assigns the Case to a team member.
Manual Assignment: A team member assigns the Case to themselves.

These assignments can also be restricted using permissions. Once an Inbox Item or Case is assigned to a user, it is locked. See Strict Inbox Item Locking and Strict Case Locking for more information.

On the Inbox Item and Case tab of the user side of your Vault, team leaders and members can filter or create an Inbox Item View or Case View to display only Inbox Items and Cases assigned to their Case Assignment Team or to themselves.

Note: To assign a Case Assignment Team, an Access Group must first be set on the Case.

Prerequisites

Before adding Case Assignment Teams, you must enable Case Assignment.

Create a Case Assignment Team

Follow the steps below to create Case Assignment Teams:

Go to Business Admin > Objects > Case Assignment Teams and select Create.
Complete the following information:
- Name: Enter a name for this Case Assignment Team.
- Status: Ensure this field is set to Active.
- Case Access Group: Select a Case Access Group from the picklist.
- Team Leader: (Optional) Select a user to be the team leader. This user can assign team members to Inbox Items and Cases.
Save the page. Once you save the page, additional sections appear.
Expand the Team Members section and select Add. A Search: User window appears.
Select the users you want to add to add to this Case Assignment Team. You can select multiple users at once and filter for a more specific list.
Select OK.

When a user is added to or removed from a Case Assignment team, Vault updates the Total Team Members field in the Team Capacity section. Vault also updates the Team Caseload field when a team member on the Case Assignment Team is assigned a new Inbox Item or Case.

Note: Team Caseload is updated only when a team member is assigned to the Case or Inbox Item, not when a Case Assignment Team is assigned.

Similarly, Vault updates the User Current Caseload field on the Business Admin > User Assignment Attributes records when a user is assigned to an Inbox Item or Case.

Inbox Items and Cases in a Completed state (for example, Promoted) do not count towards the Team Caseload or User Current Caseload. To view and edit the Completed Case states, go to Admin > Security > Safety General Settings > Case Completed field. Inbox item Completed states include Promoted and Rejected, which cannot be edited.

The Inbox Items and Cases that are assigned to this team or to a member of this team are listed in the Team Inbox Items and Team Cases sections, respectively. You can also create an Inbox Item and Case by expanding these sections and selecting Create. These records will automatically be assigned to this Case Assignment Team.

After saving the record, you can find this Case Assignment Team linked in the specified Case Access Group under the Case Assignment Teams section.

Manage Case Access Groups for Case Assignment Teams

Go to Business Admin > Objects > Case Access Groups and select a Case Access Group.

When you create a Case Assignment Team, the record is automatically linked in the specified Case Access Group under the Case Assignment Teams section. You can also create new Case Assignment Teams for this Case Access Group from this section.

In the Details section, select an option for the Role Assignment Method field:

Value	Description
All Users in Access Group	Grants all users in this Case Access Group edit access to the Inbox Item or Case.
Users on Assigned Team	Grants only users in the assigned Case Assignment Team edit access to the Inbox Item or Case.

Note: You cannot populate the Role Assignment Method field for the All Access or General Access groups.

How Vault Grants Case Access

Scenario 1: The Inbox Item or Case has an assigned Case Assignment Team

Vault checks the Role Assignment Method field value for this Access Group.

If the Role Assignment Method is set to Users on Assigned Team, Vault grants the following permissions:
- Team members in the set Case Assignment Team have edit access and can be assigned to the Inbox Item or Case.
- Users in the set Access Group that are not assigned to any teams have edit access and can be assigned to the Inbox Item or Case.
- Users in this Case Access Group but not on this team are granted viewer access.
If the Role Assignment Method is set to All Users in Access Group or is left blank, Vault defaults to existing Case Access Group security behaviour.

Scenario 2: The Inbox Item or Case has no assigned Case Assignment Team

If the Case Assignment Team field is not set on the Inbox Item or Case, Vault defaults to existing Case Access Group security behavior.

Strict Inbox Item Locking

Similar to strict Case locking, users can be prevented from editing an Inbox Item unless they are assigned to that Inbox Item in the Assigned To field (this field may appear as “Locked By User”, depending on your Admin’s configuration).

Once this field is set, the Inbox Item is considered locked and assigned to that user only.

For Case Assignment Teams, the team leader and team members use this field for user assignment. However, you do not need to enable Case Assignment Teams to use this field.

To use strict Inbox Item locking, your Admin must add this field to the Inbox Item layout and grant object lifecycle permissions.

Assign Case Access Groups and Roles to User Records

In addition to assigning users to Case Access Groups through Case Access Group records, you can assign users to Case Access Groups through User records.

For each user, add as many User Access Group Assignments as required. On each record, you define the user’s role on Cases, as well as their access to unblinded and protected information and the countries they work in, if applicable. You can also set up a single user with multiple roles in a Case Access Group by creating multiple User Access Group Assignment records.

Go to Business Admin > Objects > Users > [user].
In the Case Access Group Assignment section, select Create.
Complete the Create User Access Group Assignment fields.
Select Save.

Field	Description
User	This field is populated by Vault.
Access Group	Select a Case Access Group from the picklist.
Role	Select a Role from the picklist. This role is applied each time the user interacts with Cases for the Case Access Group.
User Blinded	Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access	Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization	Select the Localization for the user on Cases within the Case Access Group. Consider the following when completing this field: Entering a specific Localization will give the user complete access to all Cases in that Localization and read-only access to all Inbox Items and Global Cases. Entering "Global" will give the user complete access to all Global and Localized Cases. Leaving the field blank will not give the user access to any Localized Cases, but they will have complete access to all Inbox Items and Global Cases.
Country	Select a country from the picklist.

Note: Depending on your Admin’s configuration of User records, you may see the Case Access Group Override field. When populated, all Inbox Items and Cases created by that user are assigned to the selected Case Access Group. System matching logic is not used in this scenario. This is useful, for example, for a global load balancing Case Processor who may enter a Case that would qualify for a specific group though it should be maintained at the global level.

Manage Access to PII and Unblinded Information

Vault Safety includes multiple ways to control access to PII and unblinded information on Inbox Items and Cases. For standard application roles, such as Data Entry and Medical Reviewer, we recommend that you configure them to hide PII and unblinded information. With Case Access Groups enabled, a user can be granted additional roles that provide access to PII and unblinded information for a given Case.

Assign Case Access by Local PV Email

You have the option of assigning user access to Inbox Items based on the sender’s email address. When this feature is enabled, Vault uses the sender’s email address for Case Access Group assignment over the standard Case Access Group assignment rules.

For more information about email intake to Inbox Item, see Manual Intake from Emails.

Prerequisites

Before using this feature, you must complete the following tasks:

How Vault Assigns Access Groups from Email Intake

The diagrams in the following sections illustrate how Vault assigns Access Groups for Inbox Items created from email intake.

Vault sets the Sender (Person) on the Inbound Transmission
Vault sets the Access Group field on the Inbox Item
Vault assigns access to Inbox Item documents

Vault Sets the Sender (Person) on the Inbound Transmission

Vault Safety receives an Inbox Item from an email.
Vault checks if there is a Vault Person with the same email address as the sender and who belongs to an Access Group.
If a Vault Person meets these criteria, Vault sets the Sender (Person) field on the Inbound Transmission. If multiple Vault Persons meet these criteria, Vault sets the one with the latest created date on the Inbound Transmission.

Vault Sets the Access Group Field on the Inbox Item

If a Vault Person was used to set the Sender (Person) on the Inbound Transmission, Vault uses their Case Access Group field to set the Inbox Item Access Group.
Otherwise, Vault uses existing Case Access Group matching logic to populate the Inbox Item Access Group.

Vault Assigns Access to Inbox Item Documents

After populating the Inbox item Access Group, Vault adds the users to the Sharing Settings for all Documents linked to the Inbox Item based on the Access Group.

Users are granted:

Viewer role
Manual Assignment access

If the Inbox Item Access Group is updated, Vault removes the group of users from the Documents’ Sharing Settings and adds the new users based on the updated Access Group.