For both standard and custom document lifecycle roles, you can define a subset of users who are allowed in the role and define users that Vault automatically assigns to the role at document creation or when a workflow starts. You can also override the allowed users and default users settings based on standard object-type document fields like Product and Study.
Note: This article applies to lifecycle roles that are using classic access control. For roles using DAC, see About Dynamic Access Control for Objects.
Accessing Allowed & Default Users
You can set up allowed and default users from Admin > Configuration > Document Lifecycles > [Lifecycle] > Roles > [Role] > Default Rule tab. To define overrides to the allowed and default users rules, open the Override Rules tab. Note that if your Vault has more than 1,000 rules configured on the Override Rules tab, you will need to use the export option to view the rules. The maximum number of allowed override rules is 50,000.
To configure roles, your security profile must grant you the Document Lifecycles: Edit permission.
How to Define Allowed & Default Users
To define allowed users or groups for a role:
- From the Default Rule tab, click Edit.
- Add users or groups to the list by clicking Add and entering the user/group name or using the picklist. You may need to start typing the user’s name in the selection field to find the correct option. Repeat as many times as needed to add more allowed users/groups.
- Optional: If you want Vault to assign the user/group to the role automatically, set the Default User checkbox. The Details tab has a setting to control when Vault will assign default users.
- Click Save at the bottom of the page to save changes.
How to Override Allowed & Default Users
Note: We recommend configuring Dynamic Access Control rather than role overrides.
To override the allowed users and/or default users for a role:
- From the Override Rules tab, click Edit.
- Click Add to open the Define Override Rule.
- Under Define Condition, select an object field and value. Currently, only standard object fields (Product, Study, etc.) are available. These rules always use the “equals” operator.
- Under Allowed Users, add users or groups to the list by clicking Add and entering the user/group name or using the picklist. You may need to start typing the user’s name in the selection field to find the correct option. Repeat as many times as needed to add more allowed users/groups. When users are manually assigned, this list restricts the users or groups that can be selected.
- Optional: If you want Vault to assign the user/group to the role automatically, set the Default User checkbox. The Details tab has a setting to control when Vault will assign default users.
- Click Add Rule to close the dialog.
- If you need to add additional rules with different conditions, click Add again and repeat the process.
- Click Save at the bottom of the page to save changes.
Note that the Site Country object field is not available for overrides in Clinical Operations Vaults.
Overrides on Multi-Select Fields
When you apply overrides for a controlling field that allows users to select multiple values, Vault will permit all users or groups that are allowed for at least one of the controlling field’s values. However, if any of the values selected for the controlling field on a document are related to an override rule, only users or groups from the valid override rules are allowed.
For example, if your document’s Country field has one country with an override rule and one country without, only the allowed users or groups from the override rule are valid. See the detailed example below.
Example Rules for Approver Role
Allowed Users | Overrides |
---|---|
Group-A, Group-B, Group-C | When Country is Country-A, only Group-A is allowed. When Country is Country-B, only Group-B is allowed. |
Example Scenarios for Approver Role
Selected Countries | Allowed Users |
---|---|
Country-C (no override) | Group-A, Group-B, Group-C |
Country-A, Country-C | Group-A |
Country-A, Country-B | Group-A, Group-B |
Country-A, Country-B, Country-C | Group-A, Group-B |
Document Type Settings for Default Users
When defining document types, you can assign default users for some standard roles (Editor, Consumer, and Viewer). Vault applies these defaults at document creation, but will prevent assignment if the users or groups are not listed as allowed for the role at the lifecycle level.
Vault REST API Differences
Document lifecycle role defaults do not apply to documents created by the Create Documents endpoint.
Limitations
The following limitations apply to defining users for document lifecycle roles:
- You can assign the Coordinator and Owner roles to individual users, not groups.
- You can’t configure the Owner role with default and overrride rules.
- You can only configure the Coordinator role with default and override rules.
- You can’t assign groups to the Coordinator role.