Security profiles are the primary way that Vault applies permission sets to individual users. Permission sets grant users the ability to view or edit certain Admin areas, or to access certain end user features. This article explains how to create and manage custom profiles and custom permission sets.
Vault includes standard security profiles and permission sets that are not editable, but also allows Admins to create and manage custom profiles and sets. You can create up to 100 custom security profiles. Standard security profiles do not count towards this limit.
If your organization is not using a certain standard security profile, you can change its status to Inactive. This option is not available for standard permission sets.
Note: When implementing any custom security or access control, Admins should perform User Acceptance Testing before making changes on a production site. Some changes can affect application-specific functionality in ways that make Vault difficult to use.
Role Permissions
To avoid complex security profile configurations, you can use an alternate method of assigning permission sets via user roles. This is helpful when users may require varying permission sets based on training or process ownership. Role permissions do not replace security profiles, instead acting as additional incremental permissions through role assignment.
How to Create New Profiles
To create a new profile:
- From Admin > Users & Groups > Security Profiles, click Create.
- Optional: Set the status to Inactive if the profile should not be assigned to users yet.
- Enter a Name for the profile and a Description.
- Click Save.
- Open the security profile and click Add to assign a permission set to the profile. Choose to add an existing set or create a new set.
- If adding an existing set, select it from the dialog’s picklist and click OK. If creating a new set, see below for details.
- Optional: Add additional permission sets. Clear a selected permission set by hovering over the set’s name, then choosing Remove from the actions (gear) menu.
How to Create Profiles by Copying
To create a new security profile by copying an existing profile:
- From Admin > Users & Groups > Security Profiles, hover over the original profile’s name and select Make a Copy from the actions (gear) menu.
- Choose whether to also copy linked permission sets. If you choose OK, Vault creates a copy of each linked set. If you choose No, Vault automatically links the new security profile to the same permission sets as the original profile.
- Optional: Set the status to Inactive if the profile should not be assigned to users yet.
- Update the Name and Description for the profile.
- Click Save. Vault will prevent you from saving the copied security profile if the original profile includes permission sets with permissions that you do not have.
- Optional: Open the security profile to add or remove permission sets. Clear a selected permission set by hovering over the set’s name, then choosing Remove from the actions (gear) menu. Add a set by clicking Add and choosing to add an existing set or create a new set.
How to Edit Profiles
You can edit a security profile by opening it from Admin > Users & Groups > Security Profiles. Click Edit to modify the security profile’s basic details or activate/deactivate the profile. (You cannot deactivate a profile that has users assigned.) You can add permission sets to a profile using the Add drop-down menu. To remove a permission set, hover over the set’s name and choose Remove from the actions (gear) menu. Permission sets on security profiles are sorted alphabetically.
For standard security profiles, the only editing option available is deactivating the profile.
How to Assign Users to Security Profiles
When editing users, there are various ways that you can assign users to security profiles. This article covers assigning users from inside the security profile.
To assign users to a security profile:
- From Admin > Users & Groups > Security Profiles, click into the profile. Open the Users tab.
- Click Edit Members.
- In the dialog, add a user by clicking the green plus (+) icon. Remove a user by clicking the red minus icon. If needed, you can search for users and filter on various criteria. When finished, click Close.
How to Create New Permission Sets
To create a new permission set:
- From Admin > Users & Groups > Permission Sets, click Create.
- Optional: Set the status to Inactive if the permission set should not be assigned to security profiles yet.
- Enter a Name for the permission set and a Description.
- Click Save.
- Open the permission set.
- Navigate to the Admin, Application, Objects or Tab section and click Edit.
- Add permissions to the permission set by selecting their checkbox. For details on each permission, see About Permission Sets. When you finish with the permissions on one tab, click Save. Vault will prevent you from saving if you’ve added a permission that you do not have.
- Repeat this process for the Admin, Application, Object, and Tab sections.
- When finished, you can add the permission set to one or more security profiles. See details above.
How to Create Permission Sets by Copying
To create a new permission set by copying an existing set:
- From Admin > Users & Groups > Permission Sets, hover over the original permission set’s name and select Make a Copy from the actions (gear) menu.
- Optional: Set the status to Inactive if the permission set should not be assigned to security profiles yet.
- Update the Name and Description for the permission set.
- Click Save. Vault will prevent you from saving the copied permission set if the original set includes a permission that you do not have.
- Open the permission set.
- Navigate to the Admin, Application, or Object tab and click Edit.
- Add permissions to the permission set by selecting their checkbox. For details on each permission, see About Permission Sets. When you finish with the permissions on one tab, click Save. Vault will prevent you from saving if you’ve added a permission that you do not have.
- Repeat this process for the Admin, Application, and Object tabs.
- When finished, you can add the permission set to one or more security profiles. See details above.
How to Edit Permission Sets
You can edit a custom permission set by opening it from Admin > Users & Groups > Permission Sets. Click Edit to modify the permission set’s basic details or activate/deactivate it.
You cannot deactivate a permission set that is assigned to a security profile, even if the profile is inactive. Change the permissions granted by the set by opening the appropriate tab (Admin, Application, Objects) and clicking Edit.
You cannot edit standard permission sets.
Related Permissions
The following permissions control your access to manage security profiles:
Permission | Access Details |
---|---|
Admin: Security Profiles: Create | Allows you to create a new security profile or make a copy of an existing profile. Without the Edit permission, you cannot make changes to the profile after creating it. |
Admin: Security Profiles: Edit | Allows you to open and edit an existing security profile. |
Admin: Security Profiles: Delete | Allows you to delete an existing custom security profile. |
Admin: Security Profiles: Assign Users | Allows you to assign users to a security profile. |
Admin: Permission Sets: Create | Allows you to create or copy permission sets. When copying profiles, Vault prompts you to also copy permission sets; you can only do that with this permission. |
Admin: Permission Sets: Edit | Allows you to open and edit an existing permission set. |
Admin: Permission Sets: Delete | Allows you to delete an existing custom security profile. |
Vault also prevents you from performing various actions that would grant permissions that you do not have. The blocked actions include:
- Assigning a permission set to a security profile if you do not have all permissions in that permission set.
- Copying a security profile that includes a permission set with permissions that you do not have.
- Assigning users to a security profile that includes a permission set with permissions you do not have.
- Saving a permission set that contains permissions you do not have. This applies when creating a new permission set or editing an existing set.
- Copying a permission set that contains permissions you do not have.
Restricted Vault Owner Profile & Permission Set
You must have the standard Vault Owner security profile to:
- Copy or edit the Vault Owner profile
- Copy the Vault Owner Actions permission set
- Connect to the Vault Java SDK debugger