Vault’s various user security features ensure that users can access the documents, object records, and actions that are appropriate for them. These features also prevent users from causing versioning conflicts on documents or improperly editing documents that are already complete.
The following explains common terms and important concepts in Vault’s user access model:
Term | Definition |
Atomic Security | Atomic Security allows role- and lifecycle state-level control over actions. For example, users in the Reviewer role could start the Review workflow on Campaign records in the In Progress state, but not on records in the Drafting state. It's available for both objects and documents, but different functionality is available for each. |
Document-Level Permissions | Access settings for viewing and editing a specific document which are specific to the lifecycle state of the document. |
Document Lifecycle Role |
An entity through which you assign permissions or workflow tasks to users/groups for a specific document. You can only assign document permissions to users by adding them to a roles and role assignment is on a per-document basis. Roles exist within the document lifecycle, and permissions may vary by lifecycle state. Admins may restrict some roles to only allow a subset of users. |
Document Sharing Settings |
Sharing Settings is a panel in the Doc Info page that shows and allows editing of the users/groups assigned to each role on the document. Workflow Owners can also add users/groups to specific roles from the workflow start dialog or when adding participants and reassigning tasks. |
Group |
A manually-maintained collection of users, which functions like a user when assigning roles and permissions. Assigning groups to roles, rather than individual users, makes it easier to later remove a user from roles across multiple documents. For example, Linda Kim is in the Reviewer role as an individual user for eight documents. To remove her from that role, you must make the change on each separate document. However, if Linda Kim is in the Medical Reviewers group and that group is in the Reviewer role, removing Linda Kim from the group will also remove her from the Reviewer role on all eight documents. |
License Type | License Type is a field assigned to a user during account creation. License Type can control access to the Admin area and access to some options in the Vault area. |
Object Record-Level Security |
Access settings for viewing and editing a specific object record. These settings can be defined dynamically for the object using sharing rules or defined for an individual record using manual assignment in Sharing Settings. This only applies to objects that use Dynamic Access Control. |
Object Record Role |
System-defined roles (Viewer, Editor, Owner) on each object data record that control access to the record, including access to select the record when editing document fields. This only applies to objects that use Dynamic Access Control. |
Object Record Sharing Settings |
Sharing Settings is a section in the object record details that shows all sharing rules and manual role assignments that apply to the record. The section also allows editing of the users/groups manually assigned to roles on the record. This only applies to objects that use Dynamic Access Control. |
Role |
See Document Lifecycle Role, Object Record Role, or User Role. |
Security Matrix | A settings panel in Admin > Configuration > Document Lifecycles > [Lifecycle] > States > [State] > Security that shows and allows editing of the document permissions available to each role for the lifecycle state. |
Sharing Rules |
Sharing rules are a systematic way of assigning users/groups to roles on object data records. Unlike manual assignment, these rules use an Admin-defined query to dynamically select the records to which Vault will apply a specific sharing setting. This only applies to objects that use Dynamic Access Control. |
Sharing Settings | See "Document Sharing Settings" and "Object Record Sharing Settings." |
Security Profile | Security Profile is a field assigned to a user during account creation. This profile, through assigned permission sets, can control access to the Admin and Business Admin tab collections, membership in system-managed groups, and access to some options in non-Admin tab collections. |
User | An entity with unique login credentials. Each person who accesses Vault should be a user and one person should not have multiple users. |
User Role | An association between a user and an Application Role, used to grant permissions on a role-by-role basis. Used in conjunction with security profiles. |
How Vault Determines Document Access
The following are explanations of the flow that Vault uses to determine certain kinds of access on a document:
View-Only Access to the Document
- Sharing Settings (Roles) and Security Matrix
- User’s assigned role(s) under Sharing Settings
- Exception: Users with certain Application: Vault Owner permissions have special Admin-type access.
- Document Status (lifecycle state)
- Security Matrix (for state and role)
- User’s assigned role(s) under Sharing Settings
Additional Access to Perform Actions on the Document
- Special Considerations: Disable deleting
- Document is in active workflow
- Document is in a Steady lifecycle state
- Exception: Users with certain Application: Vault Owner permissions can delete.
- Document is checked out
- Special Considerations: Disable uploading new version and check out
- Document is checked out
- Special Considerations: Disable various editing abilities
- User has Read-Only User or Portal User license type
- Sharing Settings (Roles) and Security Matrix
- User’s assigned role(s) under Sharing Settings
- Exception: Users with certain Application: Vault Owner permissions
- Document Status (lifecycle state)
- Security Matrix (for state and role)
- User’s assigned role(s) under Sharing Settings
How Users Get Document Roles
Users can be assigned to a document lifecycle role in one of these ways:
- Automatically on document creation (default users)
- Manually at any time from Sharing Settings
- Automatically on starting a workflow (default users)
- Manually on starting a workflow, in the workflow start dialog
- Manually on reassigning a task
- Manually on adding workflow participants
- Automatically when users receive the document via Send as Link (Viewer role)
Note: When a Workflow Owner assigns groups to a role through a workflow (on start dialog, reassign, or add participants) and the role has assigned tasks, Vault expands the group to its individual users when the task assignment occurs. For tasks that use the Any User option, task assignment occurs when the workflow reaches that task. For tasks that use the Every User option, task assignment occurs when the workflow starts. Any changes to the group membership after task assignment do not affect the assigned roles.