Standard security profiles and permission sets are default configurations provided by Vault. Admins cannot update standard security profiles (including changing which permission sets are assigned) or update standard permission sets. During releases, Vault will update standard security profiles and permission sets to include newly-introduced permissions and grant access to new objects or tabs.
In contrast, custom security profiles and permission sets are created by Admins, either from new or by copying a standard profile or permission set. Your Vault application may also automatically provision custom profiles and permission sets. Admins can modify custom profiles or permission sets as needed. Custom profiles and permission sets are usually not affected by a Vault release.
Standard Security Profiles
The following security profiles are standard:
- Document User
- Read-Only User
- External User
- Portal User
- Legal User
- Business Administrator
- System Administrator
- Vault Owner
- External IIS User (Clinical Operations Vaults only)
Standard Permission Sets
The following permission sets are standard:
- Full User Actions
- Legal User Actions
- External User Actions
- Portal User Actions
- Read-Only User Actions
- Business Administrator Actions
- System Administrator Actions
- Vault Owner Actions
- IIS External User Actions (Clinical Operations Vaults only)
Assigning Standard Profiles
We do not recommend assigning standard profiles to business users because these configurations can be problematic for some organizations. As an example, the Document User security profile includes the following permissions (assigned through the Full User Actions permission set):
- Read access to All Objects
- Access to All Tabs in the user interface
This setup grants users with the Document User profile read access to every new custom object in a Vault, as well as access to every new custom tab. This does not allow you to control the pace at which business users gain access to new features.
Other standard profiles (Read-Only User, External User, and Business Administrator) share the same behavior. Since standard profiles and permission sets are not editable, the only option to control feature rollout is to systematically use custom profiles and permission sets.
Best Practices
By following these best practices, you can control precisely when new resources like objects and tabs become available to your business users:
Assign Users to Custom Profiles
Instead of using standard profiles, assign users to custom security profiles. Set the standard security profiles to Inactive to prevent Admins from assigning them accidentally.
How to Check Assignments
To check whether any users are assigned to standard security profiles:
- Navigate the Admin > Users & Groups > Security Profiles.
- Click into each standard security profile.
- Open the Users tab.
- Check that no users are listed.
Exceptions: Vault Owner and System Admin Profiles
The only exceptions to this best practice are the Vault Owner and System Admin profiles. These profiles have the “All” permissions for Configuration, Vault Actions, Objects, and Tabs assigned. They are automatically granted any new permissions.
Because Admins cannot grant other users access to permissions they do not also have, it’s important to have a set of users (Vault Owners & System Admins) who have access to all permissions.
Assign Custom Permission Sets to Custom Profiles
Do not assign standard permission sets to custom security profiles. Instead, you can create custom permission sets and assign those. If you want to start with a custom permission set that matches the standard, copy the standard permission set. The copy is fully editable.
Role Permissions
To avoid complex security profile configurations, you can use an alternate method of assigning permission sets via user roles. This is helpful when users may require varying permission sets based on training or process ownership. Role permissions do not replace security profiles, instead acting as additional incremental permissions through role assignment.
Do Not Use All Objects & All Tabs Permissions for Business Users
Avoid assigning the All Objects, All Tab Collections, and All tabs permissions to profiles given to business users. These permissions are only relevant for Admin users who need access to all resources in the system.
How to Check the Permissions
To check whether a permission set includes the All Objects, All Tab Collections, and All tabs permissions:
- Navigate the Admin > Users & Groups > Permission Sets.
- Click into each custom permission set.
- Open the Objects tab and check that All Objects is not selected.
- Open the Tabs tab. In the Tab Collections table, check that All Tab Collections is not selected. In the Tabs table, check that All is not selected.