# Manage Case Access Group Security Vault enables you to manage access groups that control team members' ability to view and edit _Inbox Items_ and _Cases_, as well as unblinded information. To ensure Case Access Group Security provides the simplest and most effective security solutions, contact Veeva Managed Services for a consultation. With Case Access Group Security, you assign individuals to groups and roles and have granular control over security for unblinded and personally identifiable information (PII). For each access group, you set up which _Inbox Items_ and _Cases_ are visible to the group based on such factors as region, report type, market segment, country, and organization. Users are then given a role on each group as applicable. Some example use cases are creating access groups based on the following: * Origin of the _Case_, for example, EMA, MHRA, Partner * _Product Type_, for example, Cosmetics, Drugs * Lifecycle state, for example, users with access to specific domestic and _Localized Cases_ can only see global _Cases_ in the _Approved_ state For managing sensitive information, Case Access Group Security enables hiding only the fields that contain unblinded information and letting all other fields be viewable and editable. This is useful in such situations as follows: * Surfacing _Case Product_ data when doing so would not harm the integrity of the _Study_ (for example, Concomitant or Standard of Care products) * Allowing some team members to see and edit non-sensitive fields on blinded _Products_, while sensitive fields (such as _Product_ and _Lot Number_) remain protected * Allowing some team members to see and edit all fields on non-study _Products_ with a _Drug Role_ of _Concomitant_ or _External_

Note: When using Case Access Groups, you cannot assign roles as part of a workflow. We recommend using Strict Inbox Item Locking or Strict Case Locking instead.

## Prerequisites Consider the following prerequisites for setting up _Case Access Groups_: * You have consulted with Veeva Managed Services about your needs and received their recommendations for _Case Access Group_ setup. * You have enabled Case Access Group Security. ## How Vault Matches Cases to Case Access Groups {#how-the-system-matches-cases-to-case-access-groups} For _Inbox Items_ and _Cases_, Vault grants access to the _Case Access Group_ that is the most specific match, based on the following criteria: * _Sponsor_ * _Country_ * _Report Type_ * _Study Type_ * _Study_ * _Origin_ * _Intake Method_ and _Format_ * _Market Segment_ For criteria that your organization doesn't need to match against, leave those fields blank. With the exception of _Market Segment_, Vault considers blank values on _Case Access Group_ records to mean _Any_ when matching _Inbox Items_ and _Cases_ to _Case Access Groups_, allowing you to set up fewer [assignment rules][7]. For _Market Segment_, the values must be an exact match, even if blank.

Note: To match based on Intake Type, you must populate the Intake Format and Intake Method fields.

If you have configured your Vault to display _Inbound Transmission_ records on _Inbox Items_ and _Cases_ and _Inbound Transmission_ layout to include the _Case Access Group_ and _Case Access Group Assignment Reason_ fields, those field values provide details on which _Case Access Group_ was assigned to a _Case_ and why. ### Case Access Group Examples See the following diagrams that illustrate Vault's selection of the most specific _Case Access Group_. #### CASE 000001

#### CASE 000002

### Case Access Group Assignment Fields The following table shows how Vault matches the fields on the _Case Access Group Assignment_ record to the fields on the _Inbox Item_ and _Case_.

Case Access Group Assignment Field	Inbox Item	Case
Sponsor (`sponsor__v`)	Organization (`organization__v`)	Organization (`organization__v`)
Report Type (`report_type__v`)	Report Type (`report_type__v`)	Report Type (`report_type__v`)
Country (`country__v`)	Country (`country__v`)	Reporter Country (`reporter_country__v`) If the Reporter Country field is blank, Vault matches to Event Country (`event_country__v`)
Study (`study__v`)	Study (`study__v`)	Study (`study__v`)
Study Type (`study_type__v`)	(`study__v.study_type__v`) Note: When the Study field on an Inbox Item is blank, but its source file has a specified Study Type, Vault uses the source’s Study Type when assigning a Case Access Group.	Study Type (`study_product_reason__v`)
Origin (`origin__v`)	(`inbound_transmission.origin__v`)	(`inbound_transmission.origin__v`)
Intake Format (`intake_format__v`)	Intake Format (`intake_format__v`)	Intake Format (`intake_format__v`)
Intake Method (`intake_method__v`)	Intake Method (`intake_method__v`)	Intake Method (`intake_method__v`)
Market Segment (`market_segment__v`)	Market Segment (`market_segment__v`)	Market Segment (`market_segment__v`)

## Application Roles and Case Access Group Security While each user is assigned an application role to control their access to _Case_-related data and workflows at an organization level, with _Case Access Groups_ you can control access to personally identifiable information (PII) and unblinded information at the object and field levels. For each _Case Access Group_ a team member is assigned to, you specify their application role within that group. When they are processing _Cases_ for the associated access group, that application role determines their role on the _Case_. This enables you, for example, to give a Case Processor the ability to view unblinded information for some product types and sponsors, when they do not have access to view that information at the organization level. Follow your organization's process when assigning roles. System-managed roles for _Case Access Groups_ include the following: * _Viewer_ * _Editor_ * _PII Unmasked_ * _Study Unmasked_

Note: When assigning access to Case Product Registration values, Vault considers the user’s role across both global and Localized Cases and grants the more permissive role. For example, if the user has the Editor role on Localized Cases and the Viewer role on global Cases, they will have the Editor role on Case Product Registration values.

Vault maps the user's application role from the parent record to all child records. This means, for example, that if a user is a _Viewer_ on a _Case_, they will also be a _Viewer_ on all of the _Case_ child records. Their access to PII and unblinded information is also mapped to the child records.

Note: Assigning users to the appropriate role is part of the consultation with Veeva Managed Services.

### System-Provided Case Access Groups We recommend assigning team members to your organization's custom _Case Access Groups_. However, Vault also includes system-provided groups. The following sections describes the default _Case Access Groups_, along with their access, benefits, and limitations. #### General Access Group {#general} * **Access**: _Inbox Items_ and _Cases_ assigned to the _General Access Group_ and with no _Case Access Group_ assignment are visible to members of this group. * **Benefit**: This may be beneficial for organizations where all users have access to all _Cases_. * **Limitation**: _Cases_ accessible to this group may be difficult to predict. We recommend against using this group for team members who should have limited access to _Inbox Items_ and _Cases_. This includes, for example, Sponsor users in a Contract Research Organization (CRO) Vault. #### All Access Group {#all} * **Access**: All _Inbox Items_ and _Cases_ are visible to members of this group. _Cases_ are never assigned to this _Case Access Group_. * **Benefit**: Available for senior staff who should have access to all _Inbox Items_ and _Cases_. * **Limitation**: We recommend against using this group for CROs, since it could result in an individual accessing _Cases_ across all Sponsors. ## Add Case Access Groups Complete the following steps to add _Case Access Groups_: 1. Navigate to **Business Admin > Objects > Case Access Groups**. 2. Select **Create**. 3. In the _Details_ section, enter a **Group Name** and **API Name**. 4. Select **Save**. ### Create Case Assignment Rules {#rules} Within a _Case Access Group_, you can create as many _Case Assignment Rules_ as needed. We recommend using the simplest configurations whenever possible. To do this: 1. Navigate to the applicable _Case Access Group_. 2. In the _Case Assignment Rules_ section, select **Create**. 3. In the _Create Case Access Group Assignment_ window, select a **Sponsor**. 4. (Optional) Populate the relevant [fields][8]. 5. Select **Save**. #### Case Assignment Rule Fields {#rules-fields}

Field	Description
Access Group	This is populated by Vault based on the associated Case Access Group.
Sponsor	Select the Organization for Inbox Items and Cases that will be accessible to the selected Case Access Group.
Report Type	(Optional) Select a Report Type from the picklist.
Country	(Optional) Select a Country from the picklist.
Origin	(Optional) Select the sending organization for a given case. For example, select EMA to limit the Case Access Group to Cases downloaded from EudraVigilance.
Intake Format	(Optional) Select a format from the picklist. Note: When using Intake Format as a matching criteria, the Intake Method field must also be used.
Intake Method	(Optional) Select a method from the picklist. Note: When using Intake Method as a matching criteria, the Intake Format field must also be used.
Study Type	(Optional) Select a type from the picklist.
Study	(Optional) Select a Study from the dropdown list.
Market Segment	(Optional) Select the Market Segment associated with the Study for Study Cases or the primary Product for postmarket Cases.

### Create User Access Group Assignments {#uag-assign} Within a _Case Access Group_, you can assign as many users to the access group as required. You can also set up a single user with multiple roles by creating multiple _User Access Group Assignment_ records. To do this: 1. Navigate to the applicable _Case Access Group_. 2. In the _User Access Group Assignment_ section, select **Create**. 3. In the _Create User Access Group Assignment_ window, populate the relevant [fields][9]. 4. Select **Save**. #### User Access Group Assignment Fields {#uag-assign-fields}

Field	Description
User	Select a User from the dropdown list.
Role	Select the applicable Role for the user on Cases within the selected Case Access Group. Users with multiple roles will require a unique User Access Group Assignment record for each role.
User Blinded	Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access	Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization	Select the Localization for the user on Cases within the Case Access Group. Consider the following when completing this field: Entering a specific Localization will give the user complete access to all Cases in that Localization and read-only access to all global Cases. Entering Global will give the user complete access to all global Inbox Items and Cases. Leaving the field blank will not give the user access to any Localized Cases, but they will have complete access to all global Inbox Items and Cases and all Cases with a blank Localization value.
Country	Select a country from the picklist to limit the user's access to global Cases with that Country value only. Regardless of the Country, the user will have read-only access to all Localized Cases based on the Localization field value. Users with an assigned country cannot access Inbox Items, Cases, or Localized Cases with blank Country fields.
Subject Information Review	Select whether the user should have access to subject information for Cases with SAEs received from the Safety-EDC Connection.

### User Access to Transmissions {#user-access} The _Localization_ setting on _User Access Group Assignments_ controls user access to _Inbound Transmission_ and _Transmission_ records. To grant access to _Inbound Transmission_ records, the user's _Localization_ setting must match the _Localization_ value of the _Case_ linked on the _Inbound Transmission_ record. If no _Case_ exists, Vault considers the _Localization_ field of the associated _Inbox Item_. To grant access to _Transmission_ records from within a _Localized Case_ record, the user's _Localization_ setting must match the _Localization_ value of the _Localized Case_ linked on the _Transmission_ record. ### User Access to Inbox Item Documents After populating the _Access Group_ on the _Inbox Item_, Vault adds the applicable users to the _Sharing Settings_ for all documents linked to the _Inbox Item_ based on the _Access Group_. Users are granted: * _Viewer_ role * _Manual Assignment_ access When the _Access Group_ of the _Inbox Item_ is updated, Vault removes the group of users from the documents' _Sharing Settings_ and adds the new users based on the updated _Access Group_. ## Manage Case Assignment Teams {#manage-case-assignment-teams} You can use _Case Assignment Teams_ when the _Case_ volume demands more management and _Case_ processing effort. A _Case Assignment Team_ consists of a group of users, typically with a team leader, that manages a subset of _Cases_. The subset can be based on certain _Case_ types (for example, _Study Cases_), _Country_, or localization-specific _Cases_. Or, it can simply be a division of volume. You can add multiple _Case Assignment Teams_ to a _Case Access Group_.

Note: To assign a Case Assignment Team, an access group must first be set on the Case.

After setting the [_Case Access Group_ on the _Case_][1], a user can then select a _Case Assignment Team_ within this access group after considering the intake or _Case_ processing task. Users an select from the following assignment options: * **Team Assignment**: The team leader assigns the _Case_ to a team member. * **Manual Assignment**: A team member assigns the _Case_ to themselves. You can use field permissions to grant _Edit_ access for these assignment fields. Vault locks the _Inbox Item_ or _Case_ once is assigned to a user, it is locked. For more information, see [Strict Inbox Item Locking][6] and Strict Case Locking. On the **Inbox Item** and **Case** tab of the user side of your Vault, team leaders and members can filter or create a view to display only _Inbox Items_ and _Cases_ assigned to their _Case Assignment Team_ or to themselves. ### Prerequisites Before adding _Case Assignment Teams_, you must enable Case Assignment. ### Create a Case Assignment Team To create _Case Assignment Teams_: 1. Navigate to **Business Admin > Objects > Case Assignment Teams**. 2. Select **Create**. 3. Enter a **Name**. 4. Ensure the **Status** is `Active`. 5. Select a **Case Access Group**. 6. (Optional) Select a **Team Leader**. This user can assign team members to _Inbox Items_ and _Cases_. 7. Select **Save** to reveal additional sections. 8. Expand the _Team Members_ section. 9. Select **Add**. 10. In the _Search: User_ window, select the users you want to add to add to this team. You can select multiple users at once and filter for a more specific list. 11. Select **OK**. 12. Select **Save**. After saving the record, you can find this _Case Assignment Team_ linked in the specified _Case Access Group_ in the _Case Assignment Teams_ section. Vault updates the following fields based on user assignment: * When a user is added to or removed from a _Case Assignment Team_, Vault updates the _Total Team Members_ field value in the _Team Capacity_ section. * Vault updates the _Team Caseload_ field value when a team member on the _Case Assignment Team_ is assigned a new _Inbox Item_ or _Case_. Vault does not update the _Team Caseload_ value when a _Case Assignment Team_ is assigned. _Inbox Items_ and _Cases_ in a _Completed_ state (for example, _Promoted_) do not count towards the _Team Caseload_. To view and edit the _Completed_ states, go to **Admin > Security > Safety General Settings > Case Completed**. The _Completed_ states for _Inbox Item_ include _Promoted_ and _Rejected_, which you cannot edit. The _Inbox Items_ and _Cases_ that are assigned to this team or to a member of this team are listed in the _Team Inbox Items_ and _Team Cases_ sections, respectively. You can also create _Inbox Items_ and _Cases_ by expanding these sections and selecting **Create**. These records will automatically be assigned to this _Case Assignment Team_. ### Manage Case Access Groups for Case Assignment Teams 1. Navigate to **Business Admin > Objects > Case Access Groups > Case Access Group**. 2. Open the applicable record. 3. Select **Edit**. 4. In the _Details_ section, select an option for the **Role Assignment Method** field: * **All Users in Access Group**: Grants all users in this _Case Access Group_ access to edit the _Inbox Item_ or _Case_. * **Users on Assigned Team**: Grants only users in the assigned _Case Assignment Team_ access to edit the _Inbox Item_ or _Case_. 5. Select **Save**.

Note: You cannot modify the Role Assignment Method field for the All Access or General Access groups.

### How Vault Grants Case Access **Scenario 1: The Inbox Item or Case has an assigned Case Assignment Team** Vault checks the _Role Assignment Method_ field value for this access group. * If the _Role Assignment Method_ is `Users on Assigned Team`, Vault grants the following permissions: * Team members in the _Case Assignment Team_ have edit access and can be assigned to the _Inbox Item_ or _Case_. * Users in the set access group that are not assigned to any teams have edit access and can be assigned to the _Inbox Item_ or _Case_. * Users in this access group but not on this team are granted viewer access. * If the _Role Assignment Method_ is `All Users in Access Group` or blank, Vault defaults to existing _Case Access Group_ security behavior. **Scenario 2: The Inbox Item or Case has no assigned Case Assignment Team** If the _Case Assignment Team_ field is not populated for the _Inbox Item_ or _Case_, Vault defaults to existing _Case Access Group_ security behavior. ### Strict Inbox Item Locking {#strict-inbox-item-locking} Similar to strict _Case_ locking, you can prevent users from editing an _Inbox Item_ unless they are assigned to that _Inbox Item_ in the _Assigned To_ field (this field may be `Locked By User`, depending on your Admin's configuration). Once this field is populated, the _Inbox Item_ is considered locked and assigned to that user only. For _Case Assignment Teams_, the team leader and team members use this field for user assignment. However, you do not need to enable _Case Assignment Teams_ to use this field. To use strict _Inbox Item_ locking, you must add this field to the _Inbox Item_ layout and grant object lifecycle permissions. ## Assign Case Access Groups and Roles to User Records In addition to [assigning users to _Case Access Groups_ through _Case Access Group_ records][5], you can assign users to _Case Access Groups_ through _User_ records. For each user, add as many _User Access Group Assignments_ as required. On each record, you define the user's role on _Cases_, as well as their access to unblinded and protected information and the countries they work in, if applicable. You can also set up a single user with multiple roles in a _Case Access Group_ by creating multiple _User Access Group Assignment_ records. To do this: 1. Navigate to **Business Admin > Objects > Users > [User]**. 2. In the _Case Access Group Assignment_ section, select **Create**. 3. In the _Create User Access Group Assignment_ window, populate the applicable [fields][10]. 4. Select **Save**. ### User Access Group Assignment Fields {#user-access-fields}

Field	Description
User	This field is populated by Vault.
Access Group	Select a Case Access Group from the picklist.
Role	Select a Role from the picklist. This role is applied each time the user interacts with Cases for the Case Access Group.
User Blinded	Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access	Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization	Select the Localization for the user on Cases within the Case Access Group. Consider the following when completing this field: Entering a specific Localization will give the user complete access to all Cases in that Localization and read-only access to all Inbox Items and global Cases. Entering `Global` will give the user complete access to all global and Localized Cases. Leaving the field blank will not give the user access to any Localized Cases, but they will have complete access to all Inbox Items and global Cases.
Country	Select a Country from the picklist.

Note: Depending on your configuration of the User object, you may see the Case Access Group Override field. When populated, all Inbox Items and Cases created by that user are assigned to the selected Case Access Group. System matching logic is not used in this scenario. This is useful, for example, for a global load balancing Case Processor who may enter a Case that would qualify for a specific group though it should be maintained at the global level.

## Manage Access to PII and Unblinded Information There are multiple ways to control access to PII and unblinded information on _Inbox Items_ and _Cases_. For standard application roles, such as Data Entry and Medical Reviewer, we recommend that you configure them to hide PII and unblinded information. With _Case Access Groups_ enabled, a user can be granted additional roles that provide access to PII and unblinded information for a given _Case_. ### Mask PHI and PII on the Potential Matches Page {#phi-pii-pm} If you have enabled the _Duplicate Search Potential Matches Safety App Page_ and _Mask PHI and PII on the Potential Matches Page_ settings, users in applicable access groups with PII access to both the source and matched records can view protected health information (PHI) and personally identifiable information (PII) on the enhanced _Potential Matches_ page. For other users, Vault displays asterisks (`****`) to mask PHI and PII information on the page. ## Assign Case Access by Local PV Email You have the option of assigning user access to _Inbox Items_ based on the sender's email address. When this feature is enabled, Vault uses the sender's email address for _Case Access Group_ assignment over the [standard assignment rules][1]. For more information about email intake to _Inbox Item_, see Manual Intake from Emails. ### Prerequisites Before using this feature, you must complete the following tasks: * Configure Email to Vault Safety Inbox Item * Enable Case Access Group Security * Enable Case Access by Local PV Email ### How Vault Assigns Access Groups from Email Intake The diagrams in the following sections illustrate how Vault assigns access groups for _Inbox Items_ created from email intake. * [Vault sets the _Sender (Person)_ on the _Inbound Transmission_][2] * [Vault sets the _Access Group_ field on the _Inbox Item_][3] #### Vault Sets the Sender (Person) on the Inbound Transmission {#access-groups-email-intake-a}

1. Vault receives an _Inbox Item_ from an email. 2. Vault checks if there is a _Vault Person_ with the same email address as the sender and who belongs to an access group. 3. If a _Vault Person_ meets these criteria, Vault populates the _Sender (Person)_ field on the _Inbound Transmission_. If multiple _Vault Persons_ meet these criteria, Vault selects the record with the latest created date on the _Inbound Transmission_. #### Vault Sets the Access Group Field on the Inbox Item {#access-groups-email-intake-b}

1. If a _Vault Person_ was used to populate the _Sender (Person)_ on the _Inbound Transmission_, Vault uses their _Case Access Group_ value to populate the _Access Group_ value of the _Inbox Item_. 2. Otherwise, Vault uses [existing _Case Access Group_ matching logic][1] to populate the _Access Group_ value of the _Inbox Item_. [1]: #how-vault-matches-cases-to-case-access-groups [2]: #access-groups-email-intake-a [3]: #access-groups-email-intake-b [5]: #uag-assign [6]: #strict-inbox-item-locking [7]: #rules [8]: #rules-fields [9]: #uag-assign-fields [10]: #user-access-fields