In past releases, Vault provided two security modes for administrator access to documents, known as “strict” and “non-strict.” After V10, we will continue to support the non-strict mode for Vaults that already use it, but new Vaults and those currently using the strict mode cannot switch to non-strict mode.
Enabling Strict Security Mode
To switch to strict security mode, you must have a security profile that grants the Security Settings: Edit permission.
Navigate to Admin > Settings > Security Settings. Click Edit, change the Administrator Access option, and click Save. Once you enable strict security, you cannot change this setting back.
Differences in Security Modes
When strict security is not enabled (option is “Administrators have automatic access to all documents”), Vault applies the following rules:
- All Admins’ (users with a security profile that grants at least one permission from the Admin section of permission sets OR users in the standard system-managed Business Administrators or System Administrators group) document access is based on the combination of the Owner and Coordinator role permissions from the security matrix.
- Admins with the Vault Owner Actions permissions, like All Document Read, will have additional access.
When strict security mode is enabled, Vault applies these rules:
- Document access for Admins is based on their assigned document roles and those roles’ permissions.
- Admins without explicit role-based permissions to a document (listed in Sharing Settings) cannot view the document.
- When viewing the document logs, Admins can only see the history for documents they have permissions to view.
- Customers who want an open security model can create a security profile that grants the All Documents Read permission from the Vault Owner Actions section.
Note: The standard Vault Owner Actions permission set grants users permission to view all documents in the Vault, regardless of the selected security mode.
Vault REST API Differences
If the authenticated user does not have explicit role-based View permission to the document (listed in Sharing Settings), custom document relationships added at the subtype or classification level are not returned by the Document Relationships API. Without this permission, custom relationships must be added at the document type level to be returned with the Document Relationships API.