Manage Case Access Group Security

Learn how to manage access groups that control team members’ ability to view and edit Inbox Items and Cases, as well as unblinded information. To ensure Case Access Group Security provides the simplest and most effective security solutions, contact Veeva Managed Services for a consultation.

About Case Access Group Security

With Case Access Group Security, you assign individuals to groups and roles and have granular control over security for unblinded and personally identifiable information (PII). For each access group, you set up which Inbox Items and Cases are visible to the group based on such factors as region, report type, market segment, country, and organization. Users are then given a role on each group as applicable.

Some example use cases are creating access groups based on the following:

Origin of the Case, for example, EMA, MHRA, Partner
Product Type, for example, Cosmetics, Drugs
Lifecycle state, for example, users with access to specific domestic and Localized Cases can only see global Cases in the Approved state

For managing sensitive information, Case Access Group Security enables hiding only the fields that contain unblinded information and letting all other fields be viewable and editable. This is useful in such situations as follows:

Surfacing Case Product data when doing so would not harm the integrity of the Study (for example, Concomitant or Standard of Care products)
Allowing some team members to see and edit non-sensitive fields on blinded Products, while sensitive fields (such as Product and Lot Number) remain protected
Allowing some team members to see and edit all fields on non-study Products with a Drug Role of Concomitant or External

Note: When using Case Access Groups, you cannot assign roles as part of a workflow. We recommend using Strict Inbox Item Locking or Strict Case Locking instead.

Prerequisites

Consider the following prerequisites for setting up Case Access Groups:

You have consulted with Veeva Managed Services about your needs and received their recommendations for Case Access Group setup.
You have enabled Case Access Group Security.

How Vault Matches Cases to Case Access Groups

For Inbox Items and Cases, Vault grants access to the Case Access Group that is the most specific match, based on the following criteria:

Sponsor
Country
Report Type
Study Type
Study
Origin
Intake Method and Format
Market Segment

For criteria that your organization doesn’t need to match against, leave those fields blank. Vault considers blank values to mean “Any” when matching, allowing you to set up fewer assignment rules.

Note: To match based on Intake Type, you must populate the Intake Format and Intake Method fields.

If you have configured your Vault to display Inbound Transmission records on Inbox Items and Cases and Inbound Transmission layout to include the Case Access Group and Case Access Group Assignment Reason fields, those field values provide details on which Case Access Group was assigned to a Case and why.

Case Access Group Examples

See the following diagrams that illustrate Vault’s selection of the most specific Case Access Group.

CASE 000001

CASE 000002

Case Access Group Assignment Fields

The following table shows how Vault matches the fields on the Case Access Group Assignment record to the fields on the Inbox Item and Case.

Case Access Group Assignment Field	Inbox Item	Case
Sponsor (`sponsor__v`)	Organization (`organization__v`)	Organization (`organization__v`)
Report Type (`report_type__v`)	Report Type (`report_type__v`)	Report Type (`report_type__v`)
Country (`country__v`)	Country (`country__v`)	Reporter Country (`reporter_country__v`) If the Reporter Country field is blank, Vault matches to Event Country (`event_country__v`)
Study (`study__v`)	Study (`study__v`)	Study (`study__v`)
Study Type (`study_type__v`)	(`study__v.study_type__v`) Note: When the Study field on an Inbox Item is blank, but its source file has a specified Study Type, Vault uses the source’s Study Type when assigning a Case Access Group.	Study Type (`study_product_reason__v`)
Origin (`origin__v`)	(`inbound_transmission.origin__v`)	(`inbound_transmission.origin__v`)
Intake Format (`intake_format__v`)	Intake Format (`intake_format__v`)	Intake Format (`intake_format__v`)
Intake Method (`intake_method__v`)	Intake Method (`intake_method__v`)	Intake Method (`intake_method__v`)
Market Segment (`market_segment__v`)	Market Segment (`market_segment__v`)	Market Segment (`market_segment__v`)

Application Roles and Case Access Group Security

While each user is assigned an application role to control their access to Case-related data and workflows at an organization level, with Case Access Groups you can control access to personally identifiable information (PII) and unblinded information at the object and field levels.

For each Case Access Group a team member is assigned to, you specify their application role within that group. When they are processing Cases for the associated access group, that application role determines their role on the Case. This enables you, for example, to give a Case Processor the ability to view unblinded information for some product types and sponsors, when they do not have access to view that information at the organization level. Follow your organization’s process when assigning roles.

System-managed roles for Case Access Groups include the following:

Viewer
Editor
PII Unmasked
Study Unmasked

Note: When assigning access to Case Product Registration values, Vault considers the user’s role across both global and Localized Cases and grants the more permissive role. For example, if the user has the Editor role on Localized Cases and the Viewer role on global Cases, they will have the Editor role on Case Product Registration values.

Vault maps the user’s application role from the parent record to all child records. This means, for example, that if a user is a Viewer on a Case, they will also be a Viewer on all of the Case child records. Their access to PII and unblinded information is also mapped to the child records.

Note: Assigning users to the appropriate role is part of the consultation with Veeva Managed Services.

System-Provided Case Access Groups

We recommend assigning team members to your organization’s custom Case Access Groups. However, Vault also includes system-provided groups. The following sections describes the default Case Access Groups, along with their access, benefits, and limitations.

General Access Group

Access: Inbox Items and Cases assigned to the General Access Group and with no Case Access Group assignment are visible to members of this group.
Benefit: This may be beneficial for organizations where all users have access to all Cases.
Limitation: Cases accessible to this group may be difficult to predict. We recommend against using this group for team members who should have limited access to Inbox Items and Cases. This includes, for example, Sponsor users in a Contract Research Organization (CRO) Vault.

All Access Group

Access: All Inbox Items and Cases are visible to members of this group. Cases are never assigned to this Case Access Group.
Benefit: Available for senior staff who should have access to all Inbox Items and Cases.
Limitation: We recommend against using this group for CROs, since it could result in an individual accessing Cases across all Sponsors.

Add Case Access Groups

Complete the following steps to add Case Access Groups:

Navigate to Business Admin > Objects > Case Access Groups.
Select Create.
In the Details section, enter a Group Name and API Name.
Select Save.

Create Case Assignment Rules

Within a Case Access Group, you can create as many Case Assignment Rules as needed. We recommend using the simplest configurations whenever possible. To do this:

Navigate to the applicable Case Access Group.
In the Case Assignment Rules section, select Create.
In the Create Case Access Group Assignment window, select a Sponsor.
(Optional) Populate the relevant fields.
Select Save.

Case Assignment Rule Fields

Field	Description
Access Group	This is populated by Vault based on the associated Case Access Group.
Sponsor	Select the Organization for Inbox Items and Cases that will be accessible to the selected Case Access Group.
Report Type	(Optional) Select a Report Type from the picklist.
Country	(Optional) Select a Country from the picklist.
Origin	(Optional) Select the sending organization for a given case. For example, select EMA to limit the Case Access Group to Cases downloaded from EudraVigilance.
Intake Format	(Optional) Select a format from the picklist. Note: When using Intake Format as a matching criteria, the Intake Method field must also be used.
Intake Method	(Optional) Select a method from the picklist. Note: When using Intake Method as a matching criteria, the Intake Format field must also be used.
Study Type	(Optional) Select a type from the picklist.
Study	(Optional) Select a Study from the dropdown list.
Market Segment	(Optional) Select the Market Segment associated with the Study for Study Cases or the primary Product for postmarket Cases.

Create User Access Group Assignments

Within a Case Access Group, you can assign as many users to the access group as required. You can also set up a single user with multiple roles by creating multiple User Access Group Assignment records. To do this:

Navigate to the applicable Case Access Group.
In the User Access Group Assignment section, select Create.
In the Create User Access Group Assignment window, populate the relevant fields.
Select Save.

User Access Group Assignment Fields

Field	Description
User	Select a User from the dropdown list.
Role	Select the applicable Role for the user on Cases within the selected Case Access Group. Users with multiple roles will require multiple User Access Group Assignment records.
User Blinded	Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access	Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization	Select the Localization for the user on Cases within the Case Access Group. Consider the following when completing this field: Entering a specific Localization will give the user complete access to all Cases in that Localization and read-only access to all Inbox Items and global Cases. Entering `Global` will give the user complete access to all global and Localized Cases. Leaving the field blank will not give the user access to any Localized Cases, but they will have complete access to all Inbox Items and global Cases.
Country	Select a country from the picklist.
Subject Information Review	Select whether the user should have access to subject information for Cases with SAEs received from the Safety-EDC Vault Connection.

User Access to Transmissions

The Localization setting on User Access Group Assignments controls user access to Inbound Transmission and Transmission records. To grant access to Inbound Transmission records, the user’s Localization setting must match the Localization value of the Case linked on the Inbound Transmission record. If no Case exists, Vault considers the Localization field of the associated Inbox Item. To grant access to Transmission records from within a Localized Case record, the user’s Localization setting must match the Localization value of the Localized Case linked on the Transmission record.

Manage Case Assignment Teams

You can use Case Assignment Teams when the Case volume demands more management and Case processing effort. A Case Assignment Team consists of a group of users, typically with a team leader, that manages a subset of Cases. The subset can be based on certain Case types (for example, Study Cases), Country, or localization-specific Cases. Or, it can simply be a division of volume. You can add multiple Case Assignment Teams to a Case Access Group.

Note: To assign a Case Assignment Team, an access group must first be set on the Case.

After setting the Case Access Group on the Case, a user can then select a Case Assignment Team within this access group after considering the intake or Case processing task. Users an select from the following assignment options:

Team Assignment: The team leader assigns the Case to a team member.
Manual Assignment: A team member assigns the Case to themselves.

You can use field permissions to grant Edit access for these assignment fields.

Vault locks the Inbox Item or Case once is assigned to a user, it is locked. For more information, see Strict Inbox Item Locking and Strict Case Locking.

On the Inbox Item and Case tab of the user side of your Vault, team leaders and members can filter or create a view to display only Inbox Items and Cases assigned to their Case Assignment Team or to themselves.

Prerequisites

Before adding Case Assignment Teams, you must enable Case Assignment.

Create a Case Assignment Team

To create Case Assignment Teams:

Navigate to Business Admin > Objects > Case Assignment Teams.
Select Create.
Enter a Name.
Ensure the Status is Active.
Select a Case Access Group.
(Optional) Select a Team Leader. This user can assign team members to Inbox Items and Cases.
Select Save to reveal additional sections.
Expand the Team Members section.
Select Add.
In the Search: User window, select the users you want to add to add to this team. You can select multiple users at once and filter for a more specific list.
Select OK.
Select Save.

After saving the record, you can find this Case Assignment Team linked in the specified Case Access Group in the Case Assignment Teams section.

Vaule updates the following fields based on user assignment:

When a user is added to or removed from a Case Assignment Team, Vault updates the Total Team Members field value in the Team Capacity section.
Vault updates the Team Caseload field value when a team member on the Case Assignment Team is assigned a new Inbox Item or Case. Vault does not update the Team Caseload value when a Case Assignment Team is assigned.
Vault updates the User Current Caseload field on the User Assignment Attributes records when a user is assigned to an Inbox Item or Case.

Inbox Items and Cases in a Completed state (for example, Promoted) do not count towards the Team Caseload or User Current Caseload. To view and edit the Completed states, go to Admin > Security > Safety General Settings > Case Completed. The Completed states for Inbox Item include Promoted and Rejected, which you cannot edit.

The Inbox Items and Cases that are assigned to this team or to a member of this team are listed in the Team Inbox Items and Team Cases sections, respectively. You can also create Inbox Items and Cases by expanding these sections and selecting Create. These records will automatically be assigned to this Case Assignment Team.

Manage Case Access Groups for Case Assignment Teams

Navigate to Business Admin > Objects > Case Access Groups > Case Access Group.
Open the applicable record.
Select Edit.
In the Details section, select an option for the Role Assignment Method field:
- All Users in Access Group: Grants all users in this Case Access Group access to edit the Inbox Item or Case.
- Users on Assigned Team: Grants only users in the assigned Case Assignment Team access to edit the Inbox Item or Case.
Select Save.

Note: You cannot modify the Role Assignment Method field for the All Access or General Access groups.

How Vault Grants Case Access

Scenario 1: The Inbox Item or Case has an assigned Case Assignment Team

Vault checks the Role Assignment Method field value for this access group.

If the Role Assignment Method is Users on Assigned Team, Vault grants the following permissions:
- Team members in the Case Assignment Team have edit access and can be assigned to the Inbox Item or Case.
- Users in the set access group that are not assigned to any teams have edit access and can be assigned to the Inbox Item or Case.
- Users in this access group but not on this team are granted viewer access.
If the Role Assignment Method is All Users in Access Group or blank, Vault defaults to existing Case Access Group security behavior.

Scenario 2: The Inbox Item or Case has no assigned Case Assignment Team

If the Case Assignment Team field is not populated for the Inbox Item or Case, Vault defaults to existing Case Access Group security behavior.

Strict Inbox Item Locking

Similar to strict Case locking, you can prevent users from editing an Inbox Item unless they are assigned to that Inbox Item in the Assigned To field (this field may be Locked By User, depending on your Admin’s configuration). Once this field is populated, the Inbox Item is considered locked and assigned to that user only.

For Case Assignment Teams, the team leader and team members use this field for user assignment. However, you do not need to enable Case Assignment Teams to use this field.

To use strict Inbox Item locking, you must add this field to the Inbox Item layout and grant object lifecycle permissions.

Assign Case Access Groups and Roles to User Records

In addition to assigning users to Case Access Groups through Case Access Group records, you can assign users to Case Access Groups through User records. For each user, add as many User Access Group Assignments as required. On each record, you define the user’s role on Cases, as well as their access to unblinded and protected information and the countries they work in, if applicable. You can also set up a single user with multiple roles in a Case Access Group by creating multiple User Access Group Assignment records. To do this:

Navigate to Business Admin > Objects > Users > [User].
In the Case Access Group Assignment section, select Create.
In the Create User Access Group Assignment window, populate the applicable fields.
Select Save.

User Access Group Assignment Fields

Field	Description
User	This field is populated by Vault.
Access Group	Select a Case Access Group from the picklist.
Role	Select a Role from the picklist. This role is applied each time the user interacts with Cases for the Case Access Group.
User Blinded	Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access	Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization	Select the Localization for the user on Cases within the Case Access Group. Consider the following when completing this field: Entering a specific Localization will give the user complete access to all Cases in that Localization and read-only access to all Inbox Items and global Cases. Entering `Global` will give the user complete access to all global and Localized Cases. Leaving the field blank will not give the user access to any Localized Cases, but they will have complete access to all Inbox Items and global Cases.
Country	Select a Country from the picklist.

Note: Depending on your configuration of the User object, you may see the Case Access Group Override field. When populated, all Inbox Items and Cases created by that user are assigned to the selected Case Access Group. System matching logic is not used in this scenario. This is useful, for example, for a global load balancing Case Processor who may enter a Case that would qualify for a specific group though it should be maintained at the global level.

Manage Access to PII and Unblinded Information

There are multiple ways to control access to PII and unblinded information on Inbox Items and Cases. For standard application roles, such as Data Entry and Medical Reviewer, we recommend that you configure them to hide PII and unblinded information. With Case Access Groups enabled, a user can be granted additional roles that provide access to PII and unblinded information for a given Case.

Assign Case Access by Local PV Email

You have the option of assigning user access to Inbox Items based on the sender’s email address. When this feature is enabled, Vault uses the sender’s email address for Case Access Group assignment over the standard assignment rules.

For more information about email intake to Inbox Item, see Manual Intake from Emails.

Prerequisites

Before using this feature, you must complete the following tasks:

How Vault Assigns Access Groups from Email Intake

The diagrams in the following sections illustrate how Vault assigns access groups for Inbox Items created from email intake.

Vault sets the Sender (Person) on the Inbound Transmission
Vault sets the Access Group field on the Inbox Item
Vault assigns access to Inbox Item documents

Vault Sets the Sender (Person) on the Inbound Transmission

Vault receives an Inbox Item from an email.
Vault checks if there is a Vault Person with the same email address as the sender and who belongs to an access group.
If a Vault Person meets these criteria, Vault populates the Sender (Person) field on the Inbound Transmission. If multiple Vault Persons meet these criteria, Vault selects the record with the latest created date on the Inbound Transmission.

Vault Sets the Access Group Field on the Inbox Item

If a Vault Person was used to populate the Sender (Person) on the Inbound Transmission, Vault uses their Case Access Group value to populate the Access Group value of the Inbox Item.
Otherwise, Vault uses existing Case Access Group matching logic to populate the Access Group value of the Inbox Item.

Vault Assigns Access to Inbox Item Documents

After populating the Access Group value of the Inbox Item, Vault adds the users to the Sharing Settings for all documents linked to the Inbox Item based on the Access Group. Users are granted:

Viewer role
Manual Assignment access

When the Access Group value of the Inbox Item is updated, Vault removes the group of users from the documents’ Sharing Settings and adds the new users based on the updated Access Group.