In Vault, permission sets are a way to group permissions together. Security profiles or user roles then use the permission sets to grant or restrict users’ access to certain features, particularly system administration functions such as user management or object record creation. For example, the permission sets applied to the IT Administrator security profile allow users with that profile to manage users and groups, but not studies and sites.
Accessing Permission Set Configuration
To configure permission sets, you must have the Admin: Permission Sets: Read, Create, Edit, and Delete permissions.
With the right access, you can manage permission sets from Admin > Users & Groups > Permission Sets.
Note: You can only grant permissions that you also have. For example, if you do not have any of the Vault Owner Actions section permissions, you cannot turn those permissions on when editing a permission set.
About ‘All’ Permissions
Throughout the permission sets configuration, there are permissions like All Configuration and All Audit. Granting these permissions gives users all permissions under them. However, this functions differently from simply selecting each sub-permission. If a future release of Vault adds new permissions to an area, permission sets with the ‘All’ permission will automatically select those new permissions.
About Permission Dependencies
Granting certain permissions automatically grants additional permissions. When editing, these dependent permissions will be greyed out as long as their controlling permission is selected.
For example, when you grant the Web Actions: Delete permission, you automatically grant the Web Actions: Edit permission.
About User Role Permissions
As an added layer of access alongside security profiles, you can optionally grant permissions with User Roles added to User records. This can simplify complex security profile configurations. See Managing Permissions with User Roles for more information.
Admin Permissions
Access to administrator-type functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings on the Admin tab of the Permission Sets page.
Note that in addition to license type, security profile, user role, and permission set, some access is controlled by the Domain Admin user setting.
Configuration
| Permission | Access Details |
|---|---|
| Configuration: All Configuration | Grants all ‘Configuration’ permissions; individual permissions are explained below. |
| Configuration: All Configuration Read | Grants all ‘Read’ permissions in ‘Configuration’; individual permissions are explained below. |
| Email Settings: Read | Grants read-only permission to the Configuration > Email Settings page |
| Email Settings: Edit | Grants edit permission to the Configuration > Email Settings page |
| Email Notification Status: Read | Grants permission to the Operations > Email Notification Status page |
| Login Message: Read | Grants read-only permission to the Configuration > Login Message page |
| Login Message: Edit | Grants edit permission to the Configuration > Login Message page |
| Business Admin Menu: Read | This permission has been deprecated. Although it appears in the UI, it doesn’t control access to any part of Vault. |
| Business Admin Menu: Edit | This permission has been deprecated. Although it appears in the UI, it doesn’t control access to any part of Vault. |
| Picklists: Read | Grants read-only permission to the Business Admin > Picklist page |
| Picklists: Edit | Grants edit permission to the Business Admin > Picklist page |
| Tags: Read | Grants read-only permission to the Configuration > Document Tags page. |
| Tags: Edit | Grants edit permission to the Configuration > Document Tags page. |
| User Account Emails: Read | Grants read-only permission to the Configuration > User Account Emails page |
| User Account Emails: Edit | Grants edit permission to the Configuration > User Account Emails page |
| Lifecycle Colors: Read | Grants read-only permission to the Configuration > Lifecycle Colors page |
| Lifecycle Colors: Edit | Grants edit permission to the Configuration > Lifecycle Colors page |
| Pages: Read | Grants read-only permission to Configuration > Pages |
| Pages: Edit | Grants edit permission to Configuration > Pages |
| Searchable Object Fields: Read | Grants read-only permission to the Configuration > Searchable Objects page |
| Searchable Object Fields: Edit | Grants edit permission to the Configuration > Searchable Objects page |
| Tabs: Read | Grants read-only permission to the Configuration > Tabs page |
| Tabs: Create | Grants the ability to create new tabs in the Configuration > Tabs page |
| Tabs: Edit | Grants the ability to edit existing tabs in the Configuration > Tabs page |
| Tabs: Delete | Grants ability to delete existing tabs in the Configuration > Tabs page |
| Tab Collections: Read | Grants read-only permission to the Configuration > Tab Collections page |
| Tab Collections: Create | Grants the ability to create new tabs collections in the Configuration > Tab Collections page |
| Tab Collections: Edit | Grants the ability to edit existing tab collections in the Configuration > Tab Collections page |
| Tab Collections: Delete | Grants ability to delete existing tab collections in the Configuration > Tab Collections page |
| Document Web Actions: Read | Grants read-only permission to the Configuration > Web Actions page |
| Document Web Actions: Create | Grants ability to create new web actions in the Configuration > Web Actions page |
| Document Web Actions: Edit | Grants ability to edit existing web actions in the Configuration > Web Actions page |
| Document Web Actions: Delete | Grants ability to delete web actions in the Configuration > Web Actions page |
| Object Web Actions: Read | Grants read-only permission to the Configuration > Object Web Actions page |
| Object Web Actions: Create | Grants ability to create new actions in the Configuration > Object Web Actions page |
| Object Web Actions: Edit | Grants ability to edit existing actions in the Configuration > Object Web Actions page |
| Object Web Actions: Delete | Grants ability to delete actions in the Configuration > Object Web Actions page |
| Document Types: Read | Grants read-only permission to the Configuration > Document Types page |
| Document Types: Create | Grants ability to create new document types, subtypes, and classifications in the Configuration > Document Types page |
| Document Types: Edit | Grants ability to edit existing document types, subtypes, and classifications in the Configuration > Document Types page |
| Document Types: Delete | Grants ability to delete document types, subtypes, and classifications in the Configuration > Document Types page |
| Document Fields: Read | Grants read-only permission to the Configuration > Document Fields page |
| Document Fields: Create | Grants ability to create new document fields in the Configuration > Document Fields page |
| Document Fields: Edit | Grants ability to edit existing document fields in the Configuration > Document Fields page |
| Document Fields: Delete | Grants ability to delete document fields in the Configuration > Document Fields page |
| Field Dependencies: Read | Grants read-only permission to the Configuration > Field Dependencies page |
| Field Dependencies: Create | Grants ability to create field dependencies in the Configuration > Document Fields page |
| Field Dependencies: Edit | Grants ability to edit existing field dependencies in the Configuration > Document Fields page |
| Field Dependencies: Delete | Grants ability to delete field dependencies in the Configuration > Document Fields page |
| Field Layout: Read | Grants read-only permission to the Configuration > Field Layouts page |
| Field Layout: Create | Grants ability to create new field layouts in the Configuration > Document Fields page |
| Field Layout: Edit | Grants ability to edit existing field layouts in the Configuration > Document Fields page |
| Field Layout: Delete | Grants ability to delete field layouts in the Configuration > Document Fields page |
| Document Lifecycles: Read | Grants read-only permission to Configuration > Document Lifecycles, including all sub-pages (lifecycles, states, etc.) |
| Document Lifecycles: Create | Grants ability to create new items within Configuration > Document Lifecycles including lifecycles, lifecycle states, and workflows |
| Document Lifecycles: Edit | Grants ability to edit existing items within Configuration > Document Lifecycles, including lifecycles, lifecycle states, and workflows |
| Document Lifecycles: Delete | Grants ability to delete existing items within Configuration > Document Lifecycles, including lifecycles, lifecycle states, and workflows |
| Object Lifecycles: Read | Grants read-only permission to Configuration > Object Lifecycles, including all sub-pages (lifecycles, states, etc.) |
| Object Lifecycles: Create | Grants ability to create new items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc. |
| Object Lifecycles: Edit | Grants ability to edit existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc. |
| Object Lifecycles: Delete | Grants ability to delete existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc. |
| Object Workflows: Read | Grants read-only permission to Configuration > Object Workflows |
| Object Workflows: Create | Grants ability to create new workflows within Configuration > Object Workflows |
| Object Workflows: Edit | Grants ability to edit existing workflows within Configuration > Object Workflows |
| Object Workflows: Delete | Grants ability to delete existing workflows within Configuration > Object Workflows |
| Document Messages: Read | Grants read-only permission to Configuration > Document Messages |
| Document Messages: Create | Grants ability to create new messages within Configuration > Document Messages |
| Document Messages: Edit | Grants ability to edit existing messages within Configuration > Document Messages |
| Document Messages: Delete | Grants ability to delete existing messages within Configuration > Document Messages |
| Object Messages: Read | Grants read-only permission to Configuration > Object > Messages |
| Object Messages: Create | Grants ability to create new messages within Configuration > Object Messages |
| Object Messages: Edit | Grants ability to edit existing messages within Configuration > Object Messages |
| Object Messages: Delete | Grants ability to delete existing messages within Configuration > Object > Messages |
| Objects: Read | Grants read-only permission to Configuration > Objects |
| Objects: Create | Grants ability to create new objects within Configuration > Objects |
| Objects: Edit | Grants ability to edit existing objects within Configuration > Objects |
| Objects: Delete | Grants ability to delete existing objects within Configuration > Objects |
| Overlays: Read | Grants read-only permission to Business Admin > Templates > Overlays |
| Overlays: Create | Grants ability to create new overlay templates within Business Admin > Templates > Overlays |
| Overlays: Edit | Grants ability to edit existing overlay templates within Business Admin > Templates > Overlays |
| Overlays: Delete | Grants ability to delete existing overlay templates within Business Admin > Templates > Overlays |
| Rendition Types: Read | Grants read-only permission to Configuration > Rendition Types |
| Rendition Types: Create | Grants ability to create new rendition types within Configuration > Rendition Types |
| Rendition Types: Edit | Grants ability to edit existing rendition types within Configuration > Rendition Types |
| Rendition Types: Delete | Grants ability to delete existing rendition types within Configuration > Rendition Types |
| Report Types: Read | Grants read-only permission to Configuration > Report Types |
| Report Types: Create | Grants ability to create new report types within Configuration > Report Types |
| Report Types: Edit | Grants ability to edit existing report types within Configuration > Report Types |
| Report Types: Delete | Grants ability to delete existing report types within Configuration > Report Types |
| Signature & Cover Pages: Read | Grants read-only permission to Business Admin > Templates > Signature & Cover Pages |
| Signature & Cover Pages: Create | Grants ability to create new signature page templates within Business Admin > Templates > Signature & Cover Pages |
| Signature & Cover Pages: Edit | Grants ability to edit existing signature page templates within Business Admin > Templates > Signature & Cover Pages |
| Signature & Cover Pages: Delete | Grants ability to delete existing signature page templates within Business Admin > Templates > Signature & Cover Pages |
| Formatted Output Records: Read | Grants read-only permission to Business Admin > Templates > Formatted Outputs |
| Formatted Output Records: Create | Grants ability to create new formatted outputs within Business Admin > Templates > Formatted Outputs |
| Formatted Output Records: Edit | Grants ability to edit existing formatted outputs within Business Admin > Templates > Formatted Outputs |
| Formatted Output Records: Delete | Grants ability to delete existing formatted outputs within Business Admin > Templates > Formatted Outputs |
| Templates: Read | Grants read-only permission to Business Admin > Templates > Documents & Binders |
| Templates: Create | Grants ability to create new document or binder templates within Business Admin > Templates > Documents & Binders |
| Templates: Edit | Grants ability to edit existing document or binder templates within Business Admin > Templates > Documents & Binders |
| Templates: Delete | Grants ability to delete existing document or binder templates within Business Admin > Templates > Documents & Binders |
| Business Admin Objects: Read | Grants the ability to to view and access the Objects tab within Business Admin. |
| Logs: All Audit | Grants ability to view all audit histories in Admin > Logs |
| Logs: System Audit | Grants ability to view System Audit History in Admin > Logs |
| Logs: Login Audit | Grants ability to view Login Audit History in Admin > Logs |
| Logs: Document Audit | Grants ability to view Document Audit History in Admin > Logs |
| Logs: Object Record Audit | Grants ability to view Object Record Audit History in Admin > Logs |
| Logs: Domain Audit | Grants ability to view Domain Audit History in Admin > Logs |
| Logs: Vault Java SDK Logs | Grants ability to view the Vault Java SDK Logs in Admin > Logs, such as the Debug Log and Runtime Log. |
| Logs: API Usage | Grants ability to view API Usage Logs in Admin > Logs |
| Logs: Collab Auth Error Logs | Grants ability to view Collaborative Authoring Error Log in Admin > Logs |
| Spark Queues: Read | Grants read-only permission to Spark queues in Connections > Spark Queues |
| Spark Queues: Create | Grants ability to create Spark queues in Connections > Spark Queues |
| Spark Queues: Edit | Grants ability to edit existing Spark queues in Connections > Spark Queues |
| Spark Queues: Delete | Grants ability to delete Spark queues in Connections > Spark Queues |
| Spark Queues: Queue Log | Grants ability to view the Spark Queue Log in Admin > Logs |
| Vault Java SDK: Read | Grants read permission on components using the Vault Java SDK |
| Vault Java SDK: Create | Grants create permission on components using the Vault Java SDK |
| Vault Java SDK: Edit | Grants edit permission on components using the Vault Java SDK |
| Vault Java SDK: Delete | Grants delete permission on components using the Vault Java SDK |
| Vault Tokens: Read | Grants the ability to view Vaulttoken records using MDL. |
| Vault Tokens: Create | Grants the ability to create Vaulttoken records using MDL. |
| Vault Tokens: Edit | Grants the ability to alter Vaulttoken records using MDL. |
| Vault Tokens: Delete | Grants the ability to drop Vaulttoken records using MDL. |
| Inbound Email Addresses: Read | Grants read-only permission to Configuration > Inbound Email Addresses |
| Inbound Email Addresses: Create | Grants ability to create new addresses in Configuration > Inbound Email Addresses |
| Inbound Email Addresses: Edit | Grants ability to edit existing addresses in Configuration > Inbound Email Addresses |
| Inbound Email Addresses: Delete | Grants ability to delete existing addresses in Configuration > Inbound Email Addresses |
| Inbound Email Addresses: Email Log | Grants ability to view the Email Log in Admin > Logs |
| Inbound Email Addresses: Reprocess Emails | Grants ability to use the Reprocess Emails user action |
| Inbound Email Addresses: Delete Emails | Grants ability to use the Delete Emails user action |
Domain Administration
Note: Give careful consideration when granting the permissions below, as these allow control over all Vaults in a multi-Vault domain. Note that users must have the Domain Admin setting in addition in addition to these permissions.
| Permission | Access Details |
|---|---|
| Domain Administration: All Domain Admin | Grants all permissions related to Domain Administration |
| Domain Administration: All Domain Admin Read | Grants read-only permissions to all Domain Administration areas |
| Domain Administration: Reset All Passwords | Grants permission to reset all user passwords. |
| Domain Information: Read | Grants read-only permission to Settings > Domain Information |
| Domain Information: Edit | Grants edit permission to Settings > Domain Information |
| SSO Settings: Read | Grants read-only permission to Settings > SAML Profiles |
| SSO Settings: Edit | Grants edit permission to Settings > SAML Profiles |
| Security Policies: Read | Grants read-only permission to Settings > Security Policies |
| Security Policies: Create | Grants permission to create new security policies in Settings > Security Policies |
| Security Policies: Edit | Grants permission to edit existing security policies in Settings > Security Policies |
| Network Access Rules: Read | Grants read-only permission to Settings > Network Access Rules |
| Network Access Rules: Create | Grants permission to create new network access rules in Settings > Network Access Rules |
| Network Access Rules: Edit | Grants permission to edit existing network access rules in Settings > Network Access Rules |
| Network Access Rules: Delete | Grants permission to delete existing network access rules in Settings > Network Access Rules |
Operations
| Permission | Access Details |
|---|---|
| Operations: All Operations | Grants all permissions for job scheduler and Rendition Status |
| Operations: All Operations Read | Grants read-only permissions all areas of the Operations tab |
| Jobs: Read | Grants read-only access to Operations > Job Definitions |
| Jobs: Create | Grants ability to create new job definitions |
| Jobs: Edit | Grants ability to edit existing job definitions |
| Jobs: Delete | Grants ability to delete job definitions |
| Jobs: Interact | Grants ability to manage scheduled job instances (start, stop, cancel, etc.) |
| Renditions: Read | Grants read-only access to Operations > Rendition Status |
| SDK Job Queues: Read | Grants read-only permission to SDK job queues in Operations > SDK Job Queues |
| SDK Job Queues: Create | Grants ability to create SDK job queues in Operations > SDK Job Queues |
| SDK Job Queues: Edit | Grants ability to edit SDK job queues in Operations > SDK Job Queues |
| SDK Job Queues: Delete | Grants ability to delete SDK job queues in Operations > SDK Job Queues |
Security
| Permission | Access Details |
|---|---|
| Security: All Security Admin | Grants all ‘Security’ permissions; individual permissions are explained below. |
| Security: All Security Admin Read | Grants all ‘Read’ permissions in ‘Security’; individual permissions are explained below. |
| Security Settings: Read | Grants read-only access to Settings > Security Settings |
| Security Settings: Edit | Grants edit access to Settings > Security Settings |
| Users: Read | Grants read-only access to Users & Groups > Vault Users |
| Users: Create | Grants access to create new users or add users from another Vault from Users & Groups > Vault Users |
| Users: Edit | Grants access to edit existing users from Users & Groups > Vault Users |
| Users: Assign Group | Grants access to assign users to groups from Users & Groups > Vault Users |
| Users: Grant Support Login | Grants permission to give Vault Support user account access for a specific user from Users & Groups > Vault Users |
| Users: Delegate Admin | Grants permission to give delegate access to another user’s account from Users & Groups > Vault Users |
| Users: Add Cross-Domain Users | Grants permission to add cross-domain users from Users & Groups > Vault Users |
| Users: Manage User Object | Grants ability to create, modify, and add User object records. |
| Groups: Read | Grants read-only access to Users & Groups > Groups |
| Groups: Create | Grants ability to create new groups from Users & Groups > Groups |
| Groups: Edit | Grants ability to edit existing groups from Users & Groups > Groups |
| Groups: Delete | Grants ability to delete existing groups from Users & Groups > Groups |
| Groups: Assign Users | Grants ability to assign users to groups from Users & Groups > Groups |
| Security Profiles: Read | Grants read-only access to Configuration > Security Profiles |
| Security Profiles: Create | Grants ability to create new security profiles from Configuration > Security Profiles |
| Security Profiles: Edit | Grants ability to edit existing security profiles from Configuration > Security Profiles |
| Security Profiles: Delete | Grants ability to delete existing security profiles from Configuration > Security Profiles |
| Security Profiles: Assign Users | Grants ability to assign users to a security profile from Users & Groups > Security Profiles; note that you must also have at least the same permissions as those associated with a security profile to assign users. |
| Permission Sets: Read | Grants read-only access to Configuration > Permission Sets |
| Permission Sets: Create | Grants ability to create new permission sets from Configuration > Security Profiles |
| Permission Sets: Edit | Grants ability to edit existing permission sets from Configuration > Security Profiles |
| Permission Sets: Delete | Grants ability to delete existing permission sets from Configuration > Security Profiles |
Settings
| Permission | Access Details |
|---|---|
| Settings: All Settings Edit | Grants edit permissions for all pages in Admin > Settings |
| Settings: All Settings Read | Grants read-only permission for all pages in Admin > Settings |
| General Information: Read | Grants read-only permission to the Settings > Help Settings page, as well as Vault Information, License Information, and API Information |
| General Information: Edit | Grants edit permission to the Settings > Help Settings page, as well as Vault Information, License Information, and API Information |
| General Configuration: Read | Grants read-only permission to the Settings > General Settings page |
| General Configuration: Edit | Grants edit permission to the Settings > General Settings page |
| Checkout: Read | Grants read-only permission to the Settings > Checkout Settings page |
| Checkout: Edit | Grants edit permission to the Settings > Checkout Settings page |
| Versioning: Read | Grants read-only permission to the Settings > Versioning Settings page |
| Versioning: Edit | Grants edit permission to the Settings > Versioning Settings page |
| Branding: Read | Grants read-only permission to the Settings > Branding Settings page |
| Branding: Edit | Grants edit permission to the Settings > Branding Settings page |
| Search: Read | Grants read-only permission to the Settings > Search Settings page |
| Search: Edit | Grants edit permission to the Settings > Search Settings page |
| Language: Read | Grants read-only permission to the Settings > Language Settings page |
| Language: Edit | Grants edit permission to the Settings > Language Settings page |
| Application: Read | Grants read-only permission to the Settings > Application Settings page |
| Application: Edit | Grants edit permission to the Settings > Application Settings page |
| Renditions: Read | Grants read-only permission to the Settings > Rendition Settings page |
| Renditions: Edit | Grants edit permission to the Settings > Rendition Settings page |
Deployment
| Permission | Access Details |
|---|---|
| Migration Packages: Create | Grants ability to create new outbound Configuration Migration Packages from Admin > Deployment |
| Migration Packages: Deploy | Grants ability to deploy Configuration Migration Packages from Admin > Deployment |
| Environment: Vault Configuration Report | Grants ability to run a Vault Configuration Report from Admin > Deployment |
| Environment: Vault Comparison | Grants ability to use Vault Compare from Admin > Deployment |
| Sandbox: Read | Grants ability to view sandboxes in the Admin > Deployment > Sandbox Vaults page |
| Sandbox: Create | Grants ability to create sandboxes in the Admin > Deployment > Sandbox Vaults page. Also grants the ability to build and promote a pre-production Vault to a production Vault. |
| Sandbox: Edit | Grants ability to edit and refresh sandboxes in the Admin > Deployment > Sandbox Vaults page |
| Sandbox: Delete | Grants ability to delete and refresh sandboxes in the Admin > Deployment > Sandbox Vaults page |
Application Permissions
Access to certain Vault-area functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings in Application tab of the Permission Sets page.
There are three layers of security applied to actions. First, you must have a license type that allows the action. For example, the Read-Only User license type does not allow access to reports. Second, you must have a permission set that grants the correct permission. For example, you would need the Read Dashboards and Reports permission to see any dashboard. Third, for document actions, you must have the correct document role-based permissions. For example, even with a permission set that grants the Bulk Update permission, you would also need the Edit Fields permission on any documents that you’re attempting to update in order to perform a bulk document field edit.
Vault Actions
| Permission | Access Details |
| Vault Actions: All Vault Actions | Grants all 'Vault Actions' permissions; see details for individual permissions below. |
| Dashboards and Reports: All | Grants all 'Dashboard' permissions; see details for individual permissions below. |
| Dashboards and Reports: Read Dashboards and Reports | Grants permission to run any reports that other users have shared with you. |
| Dashboards and Reports: Create Dashboards | Grants permission to create new dashboards and to edit any dashboards that you created or to which other users have given you the Editor role. |
| Dashboards and Reports: Delete Dashboards | Grants permission to delete your own dashboards or dashboards to which other users have given you the Editor role. |
| Dashboards and Reports: Share Dashboards | Grants permission to use the Share action on dashboards that you created or to which other users have given you the Editor role. |
| Dashboards and Reports: Schedule Reports | Grants permission to use the Schedule action to schedule flash reports. |
| Dashboards and Reports: Administer Dashboards | Grants permission to view and edit all dashboards, including dashboards created by another user who has not shared them; note that with this permission, a user may share and delete other users' dashboards. |
| Dashboards and Reports: Display API Name Dashboards | Grants permission to view the API names of dashboards. |
| Dashboards and Reports: Read Group Membership | Grants permission to view reports that contain both users and groups. |
| Workflow: All Workflow | Grants all 'Workflow' permissions; see details below for individual permissions. Note that this does not include 'Workflow Administration' permissions. |
| Workflow: Start | Grants permission to start workflows. |
| Workflow: Participate | Grants permission to participate in workflows. Also grants permission to use VQL to query workflow data. Learn more in the Developer Documentation. |
| Workflow: Read and Understand | Grants permission to participate in Read & Understood workflows. |
| Workflow: eSignature | Grants permission to provide an eSignature as part of a workflow. |
| Workflow: Query | Grants permission to use VQL to query workflow data. Learn more in the Developer Documentation. |
| Workflow Administration: All Workflow Admin | Grants all 'Workflow Administration' permissions; see details below for individual permissions. Note that this does not include 'Workflow' permissions. |
| Workflow Administration: Cancel | Grants permission to cancel any active workflow or open task that you can see, even if you are not the workflow or task owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security. |
| Workflow Administration: View Active | Grants permission to view all active Read & Understood workflows on the document for non-current document versions in Quality Vaults, including those on which you are not a participant. |
| Workflow Administration: Reassign | Grants permission to reassign workflow tasks that are currently assigned to other users, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security. |
| Workflow Administration: Update Participants | Grants permission to add a participant to a workflow, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security. |
| Workflow Administration: Email Participants | Grants permission to email workflow participants, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security. Learn more about Managing Active Document Workflows or Managing Active Object Workflows. |
| Workflow Administration: Update Workflow Dates | Grants permission to update all workflow dates or specific task due dates, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security. |
| Workflow Administration: Replace Workflow Owner | Grants permission to replace the workflow owner on an active workflow. |
| API: All API | Grants all 'API' permissions; see details for individual permissions below. |
| API: Access API | Grants basic permission to complete an API call and download files from the file staging server. Users must have both this permission and File Staging: Access to download files. |
| API: Events API | Grants access to the Events APIs, used in PromoMats Vaults with CLM integration. |
| API: Metadata API | Grants access to metadata APIs, including read and write access to MDL APIs. |
| API: Direct Data API | Grants access to the Direct Data API. |
| CrossLink: Create CrossLink | Grants ability to create a CrossLink document if this functionality is available on your Vault. |
| Viewer Administration: Manage Tags | Grants ability to manage annotation tags. |
| Viewer Administration: Merge Anchors | Grants ability to merge document link anchors. |
| Viewer Administration Remove Annotations | Grants ability to remove annotations brought forward from another version by a different user |
| Viewer Administration: Manage Anchors | Grants ability to bring forward anchors. Brought forward anchors have no inbound references. This permission also grants the ability to move and delete any anchor that does not have an inbound reference, and the ability to edit the name of any anchor. |
| Document: Cancel Checkout | Grants ability to cancel checkout (using the Undo Checkout action) for documents that another user has checked out; note that you must also have the Edit Document role-based permission for a document to perform this action. Document Owners can always cancel checkout if they have the Edit Document role-based permission. |
| Document: Download Document | Grants ability to download document source files; note that you must also have the appropriate role-based permissions for a document to perform this action. This permission does not control access to the Check Out action or the Export Binder action. |
| Document: Download Rendition | Grants ability to download document renditions, including Viewable Rendition and PDF with Annotations; without this permission, you also cannot use the Export Annotations action. Note that you must also have the appropriate role-based permissions for a document to perform this action. This permission does not control access to the Export Binder action. |
| Document: Bulk Delete | Grants ability to perform bulk document deletion; note that you'll also need the correct document role-based permissions to delete a document. |
| Document: Bulk Update | Grants ability to perform bulk document updates; note that you'll also need the correct document role-based permissions to update a document. |
| Document: Always Allow Unclassified | Grants the ability to create unclassified documents even without document creation permission on any document type, except for users with the Read-only license type. Users with Create Document permission on any document types are automatically allowed to create unclassified documents, regardless of this permission. |
| Document: Vault File Manager | Grants ability to check out documents to Vault File Manager using the Check Out to File Manager action or Document Check Out bulk action. |
| Document: Download Non-Protected Rendition | Grants ability to download viewable renditions without any Vault-configured security settings or Vault protection applied. |
| Object: Bulk Action | Grants the ability to perform bulk object record updates; note that you'll also need the correct object role-based permissions to update an object record. |
| Object: Merge Records | Grants the ability to perform record merges; note that you'll also need the correct object role-based permissions to read, update, and delete the object records. |
| User: Allow As A Delegate | Grants the permission to allow a user to be selected as a delegate through the Delegated Access feature. |
| User: View User Information | Grants the ability to view the name and identifying information of other users in this Vault, use the Send as Link action, and view Timeline View and Sharing Settings information on the Doc Info page. Users without this permission may only see the names and identifying details of other users who share the same email domain. For example, Teresa, whose email is tibanez@veepharm.com can see the user information of all @veepharm.com users, but she can't see @medi-review.com users. |
| User: View User Profile | Grants users the ability to view their own user profile and see the User Profile option in their user dropdown menu. |
| Search: Manage Archives | Grants ability to manage search archives; note that this also grants the View Archive permission. |
| Search: Term Suggestions | Grants ability to see search term suggestions. Search term suggestions are not affected by any other permission. For example, a user will see a search term suggestion for "cholecap" even if they don't have access to the "Cholecap" Product. |
| Search: User Filters | Grants ability to see filters on user reference fields when searching for documents or object records, for example, Created By and Last Modified By. This setting is typically disabled for security profiles that apply to sponsors when a CRO wants to hide user information. |
| Search: View Archive | Grants ability to view documents in the archive; note that you'll also need the correct document role-based permissions. |
| Application: Send to CDN | Grants ability to send a document to CDN through a private API; this permission is only used by CRM's conversion tool for integrations and should not be applied to users. |
| Application: Multichannel Loader | Ability to access the CRM Publishing and Multichannel Loader tabs; by default, this permission is only granted to users with the standard System Admin or Vault Owner security profiles. |
| Views: Share Views | Grants ability to share custom views with other users. |
| Views: View Administration |
Grants ability to:
|
| Audit Trail: View | Grants ability to access the Audit Trail option for individual documents and object records through the All Actions menu; note that you must also have the appropriate role-based permissions to perform this action. |
| Audit Trail: Export | Grants ability to export a document or object record audit trail; note that you must also have the Audit Trail > View permission before you can export. |
| File Staging: Access | Grants ability to connect to the file staging server and download files extracted using Vault Loader (document source files and renditions). This permission does not grant the ability to upload files to the server or view directories created by other users. Users must have both this permission and API: Access API to download files. |
| File Staging: Access via Vault File Manager | Grants ability to connect to the file staging server and upload files and folders using Vault File Manager. This permission does not grant the ability to upload files to the server or view directories created by other users. |
| EDL Matching: Run | Ability to access the Start Now action on scheduled batch matching job or the Match Documents action on an individual EDL item |
| EDL Matching: Edit Match Fields | Ability to edit the EDL Matching Field picklist on an EDL record |
| EDL Matching: Edit Document Matches | Ability to lock the document version matched with an EDL Item record, exclude or include matched documents in summary fields, and manually match/unmatch documents from an EDL Item |
| Create Button: Show Create Button | Ability to see the Create button on all tabs. This option is turned on by default on all existing standard and custom permission sets and turned off by default on all new custom permission sets. |
Vault Owner Actions
These permissions control actions that were previously reserved for users with the Vault Owner user type.
| Permission | Access Details |
|---|---|
| Vault Owner Actions: Re-render | Grants ability to save page rotations, re-render a document that already has a viewable rendition, and delete a viewable rendition; see related article. |
| Vault Owner Actions: Power Delete | Grants ability delete documents that otherwise could not be deleted, for example, documents in steady state; see related article. |
| Vault Owner Actions: Vault Loader | Grants ability to see and use the Loader tab. |
| Vault Owner Actions Record Migration | Grants ability to load object records (through Vault Loader or API only) in a lifecycle state other than Starting State |
| Vault Owner Actions: Document Migration | Grants ability to apply Document Migration Mode only to a batch of new documents upon creation through Vault Loader or API; see related article. |
| All Documents: All Document Actions | Grants all permissions in ‘All Documents’; see details for individual permissions below. |
| All Documents: All Document Read | Grants view access to all documents, regardless of the document’s Sharing Settings. |
| All Documents: All Document Create | Grants access to create documents or binders for any document type, regardless of document type Create settings |
| All Object Records: All Object Records Actions | Grants access to all permissions in ‘All Object Records’; see details for individual permissions below. |
| All Object Records: All Object Record Read | Grants view access to all object records, regardless of the record’s Sharing Settings. |
| All Object Records: All Object Record Edit | Grants edit access (same as Owner role) to all object records, regardless of the record’s Sharing Settings. |
| All Object Records: All Object Record Delete | Grants delete access to all object records, regardless of the record’s Sharing Settings. |
| Legal Hold: Apply | Grants ability to apply/edit a legal hold to a single document or as a bulk action. |
| Legal Hold: Remove | Grants ability to remove a legal hold from a single document or as a bulk action. |
| Connections: Manage Connections | Grants the ability to view and manage connections in the Connections tab in Vault Admin. |
| Integrations: Manage Integrations | Grants the ability to view and manage integration configuration such as user exception messages, integration rules, and Spark message processors in the Connections tab in Vault Admin. |
Client Applications
These permissions control actions related to Veeva Snap.
| Permission | Access Details |
|---|---|
| Veeva Snap: Enable | Grants ability to upload a document to Vault from the Veeva Snap mobile application. |
| Veeva Snap: Enable Direct Installation | Grants ability to use the public version of Veeva Snap available from the Apple App Store. Without this permission, Vault users must use the Veeva Snap application version provisioned by their organization. |
Object Permissions
From the Objects tab, you can assign permission to view, create, edit, and delete object records at the object level. For example, a user could have full permissions to Study Site object records, Edit permission to Study records, Read access to Product records, and no access to Country records. From this tab, you can also set up field-level security, action-level security, and object control-level security on objects.
For each object, you can grant or remove the following permissions:
- Read: Allows you to view records for the object; see details
- Create: Allows you to create new object record or to copy an existing record; allows you to access Business Admin > Objects. With this permission, Vault automatically grants Edit permission.
- Edit: Allows you to edit an existing object record, including adding/deleting/versioning attachments; allows you to access Business Admin > Objects
- Delete: Allows you to delete an existing object record
Granting these permissions for All Objects means that the permission set will automatically include the permissions for any object created in the future.
Object Control Permissions
You can also modify permissions for object controls from the Objects tab. Object controls are used to control whether users are able to view certain UI elements. Object controls associated with a given object or available to all objects appear under the Object Control Permissions heading.
Unlike object fields or actions, the only permission that you can assign for object controls is View. You can assign this permission on a single control or select All Object Controls. If the object control is associated with an object type, you can only grant View permissions across all object types. You cannot grant View permissions per control per object type.
Dynamic Access Control
Dynamic Access Control interacts with these settings to prevent users from viewing, editing, or deleting specific object records. If an object uses DAC, users must have both the appropriate permission through their security profile and access through the individual object record’s sharing settings. When creating a record, Vault only considers the user’s permission sets.
Tab Permissions
From the Tabs section, you can control what tabs and tab collections a user can view. All standard tabs, custom tabs, and custom tab collections can be configured here. By default, users with the View permission on All tabs can view newly created tabs, and users with the View permission on All Tab Collections can view newly created tab collections.
About the Read Permission
Users must have the Read permission on an object to:
- View a custom object tab
- View an object tab in Business Admin
- See object record details in a hovercard
- Select an object record when editing document or object fields
- Create a report using a report type that includes the object
- View results for a report using a report type that includes the object
Users without this permission can still view object record labels throughout Vault. For example, they can still search for documents using object fields for an object they cannot view.
Pages Permissions
From the Pages section, you can control which application-specific Pages a user can access.
Mobile Permissions
From the Mobile section, you can control which tabs a user can view in Veeva Vault Mobile.
Hidden or Missing Permissions
When you open a permission set, some of the permissions listed above will not appear. If a permission does not appear:
- The permission is specific to another Vault application or another application family. For example, the permission is specific to RIM and you are in a Clinical Operations Vault.
- The permission is related to a feature that is not enabled on your Vault. Sometimes, permissions are hidden when the related feature is not enabled.