Learn how to manage access groups that control team members’ ability to view and edit Inbox Items and Cases, as well as unblinded information. To ensure Case Access Group Security provides the simplest and most effective security solutions, contact Veeva Managed Services for a consultation.
About Case Access Group Security
With Case Access Group Security, you assign individuals to groups and roles and have granular control over security for unblinded and personally identifiable information (PII). For each access group, you set up which Inbox Items and Cases are visible to the group based on such factors as region, report type, market segment, country, and organization. Users are then given a role on each group as applicable.
Some example use cases are creating access groups based on the following:
- Origin of the Case, for example, EMA, MHRA, Partner
- Product Type, for example, Cosmetics, Drugs
- Lifecycle state, for example, users with access to specific domestic and Localized Cases can only see global Cases in the Approved state
For managing sensitive information, Case Access Group Security enables hiding only the fields that contain unblinded information and letting all other fields be viewable and editable. This is useful in such situations as follows:
- Surfacing Case Product data when doing so would not harm the integrity of the Study (for example, Concomitant or Standard of Care products)
- Allowing some team members to see and edit non-sensitive fields on blinded Products, while sensitive fields (such as Product and Lot Number) remain protected
- Allowing some team members to see and edit all fields on non-study Products with a Drug Role of Concomitant or External
Note: When using Case Access Groups, you cannot assign roles as part of a workflow. We recommend using Strict Inbox Item Locking or Strict Case Locking instead.
Prerequisites
Consider the following prerequisites for setting up Case Access Groups:
- You have consulted with Veeva Managed Services about your needs and received their recommendations for Case Access Group setup.
- You have enabled Case Access Group Security.
How Vault Matches Cases to Case Access Groups
For Inbox Items and Cases, Vault grants access to the Case Access Group that is the most specific match, based on the following criteria:
- Sponsor
- Country
- Report Type
- Study Type
- Study
- Origin
- Intake Method and Format
- Market Segment
For criteria that your organization doesn’t need to match against, leave those fields blank. Vault considers blank values to mean “Any” when matching, allowing you to set up fewer assignment rules.
Note: To match based on Intake Type, you must populate the Intake Format and Intake Method fields.
If you have configured your Vault to display Inbound Transmission records on Inbox Items and Cases and Inbound Transmission layout to include the Case Access Group and Case Access Group Assignment Reason fields, those field values provide details on which Case Access Group was assigned to a Case and why.
Case Access Group Examples
See the following diagrams that illustrate Vault’s selection of the most specific Case Access Group.
CASE 000001
CASE 000002
Case Access Group Assignment Fields
The following table shows how Vault matches the fields on the Case Access Group Assignment record to the fields on the Inbox Item and Case.
Case Access Group Assignment Field | Inbox Item | Case |
---|---|---|
Sponsor ( sponsor__v ) |
Organization ( organization__v ) |
Organization ( organization__v ) |
Report Type ( report_type__v ) |
Report Type ( report_type__v ) |
Report Type ( report_type__v ) |
Country ( country__v ) |
Country ( country__v ) |
Reporter Country If the Reporter Country field is blank, Vault matches to Event Country ( |
Study ( study__v ) |
Study ( study__v ) |
Study ( study__v ) |
Study Type ( study_type__v ) |
( Note: When the Study field on an Inbox Item is blank, but its source file has a specified Study Type, Vault uses the source’s Study Type when assigning a Case Access Group. |
Study Type ( study_product_reason__v ) |
Origin ( origin__v ) |
(inbound_transmission.origin__v ) |
(inbound_transmission.origin__v ) |
Intake Format ( intake_format__v ) |
Intake Format ( intake_format__v ) |
Intake Format ( intake_format__v ) |
Intake Method ( intake_method__v ) |
Intake Method ( intake_method__v ) |
Intake Method ( intake_method__v ) |
Market Segment ( market_segment__v ) |
Market Segment ( market_segment__v ) |
Market Segment ( market_segment__v ) |
Application Roles and Case Access Group Security
While each user is assigned an application role to control their access to Case-related data and workflows at an organization level, with Case Access Groups you can control access to personally identifiable information (PII) and unblinded information at the object and field levels.
For each Case Access Group a team member is assigned to, you specify their application role within that group. When they are processing Cases for the associated access group, that application role determines their role on the Case. This enables you, for example, to give a Case Processor the ability to view unblinded information for some product types and sponsors, when they do not have access to view that information at the organization level. Follow your organization’s process when assigning roles.
System-managed roles for Case Access Groups include the following:
- Viewer
- Editor
- PII Unmasked
- Study Unmasked
Note: When assigning access to Case Product Registration values, Vault considers the user’s role across both global and Localized Cases and grants the more permissive role. For example, if the user has the Editor role on Localized Cases and the Viewer role on global Cases, they will have the Editor role on Case Product Registration values.
Vault maps the user’s application role from the parent record to all child records. This means, for example, that if a user is a Viewer on a Case, they will also be a Viewer on all of the Case child records. Their access to PII and unblinded information is also mapped to the child records.
Note: Assigning users to the appropriate role is part of the consultation with Veeva Managed Services.
System-Provided Case Access Groups
We recommend assigning team members to your organization’s custom Case Access Groups. However, Vault also includes system-provided groups. The following sections describes the default Case Access Groups, along with their access, benefits, and limitations.
General Access Group
- Access: Inbox Items and Cases assigned to the General Access Group and with no Case Access Group assignment are visible to members of this group.
- Benefit: This may be beneficial for organizations where all users have access to all Cases.
- Limitation: Cases accessible to this group may be difficult to predict. We recommend against using this group for team members who should have limited access to Inbox Items and Cases. This includes, for example, Sponsor users in a Contract Research Organization (CRO) Vault.
All Access Group
- Access: All Inbox Items and Cases are visible to members of this group. Cases are never assigned to this Case Access Group.
- Benefit: Available for senior staff who should have access to all Inbox Items and Cases.
- Limitation: We recommend against using this group for CROs, since it could result in an individual accessing Cases across all Sponsors.
Add Case Access Groups
Complete the following steps to add Case Access Groups:
- Navigate to Business Admin > Objects > Case Access Groups.
- Select Create.
- In the Details section, enter a Group Name and API Name.
- Select Save.
Create Case Assignment Rules
Within a Case Access Group, you can create as many Case Assignment Rules as needed. We recommend using the simplest configurations whenever possible. To do this:
- Navigate to the applicable Case Access Group.
- In the Case Assignment Rules section, select Create.
- In the Create Case Access Group Assignment window, select a Sponsor.
- (Optional) Populate the relevant fields.
- Select Save.
Case Assignment Rule Fields
Field | Description |
---|---|
Access Group | This is populated by Vault based on the associated Case Access Group. |
Sponsor | Select the Organization for Inbox Items and Cases that will be accessible to the selected Case Access Group. |
Report Type | (Optional) Select a Report Type from the picklist. |
Country | (Optional) Select a Country from the picklist. |
Origin | (Optional) Select the sending organization for a given case.
For example, select EMA to limit the Case Access Group to Cases downloaded from EudraVigilance. |
Intake Format | (Optional) Select a format from the picklist.
Note: When using Intake Format as a matching criteria, the Intake Method field must also be used. |
Intake Method | (Optional) Select a method from the picklist.
Note: When using Intake Method as a matching criteria, the Intake Format field must also be used. |
Study Type | (Optional) Select a type from the picklist. |
Study | (Optional) Select a Study from the dropdown list. |
Market Segment | (Optional) Select the Market Segment associated with the Study for Study Cases or the primary Product for postmarket Cases. |
Create User Access Group Assignments
Within a Case Access Group, you can assign as many users to the access group as required. You can also set up a single user with multiple roles by creating multiple User Access Group Assignment records. To do this:
- Navigate to the applicable Case Access Group.
- In the User Access Group Assignment section, select Create.
- In the Create User Access Group Assignment window, populate the relevant fields.
- Select Save.
User Access Group Assignment Fields
Field | Description |
---|---|
User | Select a User from the dropdown list. |
Role | Select the applicable Role for the user on Cases within the selected Case Access Group. Users with multiple roles will require multiple User Access Group Assignment records. |
User Blinded | Select whether the user should have access to unblinded information for Cases within the selected Case Access Group. |
PII Access | Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group. |
Localization | Select the Localization for the user on Cases within the Case Access Group. Consider the following when completing this field:
|
Country | Select a country from the picklist. |
Subject Information Review | Select whether the user should have access to subject information for Cases with SAEs received from the Safety-EDC Vault Connection. |
User Access to Transmissions
The Localization setting on User Access Group Assignments controls user access to Inbound Transmission and Transmission records. To grant access to Inbound Transmission records, the user’s Localization setting must match the Localization value of the Case linked on the Inbound Transmission record. If no Case exists, Vault considers the Localization field of the associated Inbox Item. To grant access to Transmission records from within a Localized Case record, the user’s Localization setting must match the Localization value of the Localized Case linked on the Transmission record.
Manage Case Assignment Teams
You can use Case Assignment Teams when the Case volume demands more management and Case processing effort. A Case Assignment Team consists of a group of users, typically with a team leader, that manages a subset of Cases. The subset can be based on certain Case types (for example, Study Cases), Country, or localization-specific Cases. Or, it can simply be a division of volume. You can add multiple Case Assignment Teams to a Case Access Group.
Note: To assign a Case Assignment Team, an access group must first be set on the Case.
After setting the Case Access Group on the Case, a user can then select a Case Assignment Team within this access group after considering the intake or Case processing task. Users an select from the following assignment options:
- Team Assignment: The team leader assigns the Case to a team member.
- Manual Assignment: A team member assigns the Case to themselves.
You can use field permissions to grant Edit access for these assignment fields.
Vault locks the Inbox Item or Case once is assigned to a user, it is locked. For more information, see Strict Inbox Item Locking and Strict Case Locking.
On the Inbox Item and Case tab of the user side of your Vault, team leaders and members can filter or create a view to display only Inbox Items and Cases assigned to their Case Assignment Team or to themselves.
Prerequisites
Before adding Case Assignment Teams, you must enable Case Assignment.
Create a Case Assignment Team
To create Case Assignment Teams:
- Navigate to Business Admin > Objects > Case Assignment Teams.
- Select Create.
- Enter a Name.
- Ensure the Status is
Active
. - Select a Case Access Group.
- (Optional) Select a Team Leader. This user can assign team members to Inbox Items and Cases.
- Select Save to reveal additional sections.
- Expand the Team Members section.
- Select Add.
- In the Search: User window, select the users you want to add to add to this team. You can select multiple users at once and filter for a more specific list.
- Select OK.
- Select Save.
After saving the record, you can find this Case Assignment Team linked in the specified Case Access Group in the Case Assignment Teams section.
Vaule updates the following fields based on user assignment:
- When a user is added to or removed from a Case Assignment Team, Vault updates the Total Team Members field value in the Team Capacity section.
- Vault updates the Team Caseload field value when a team member on the Case Assignment Team is assigned a new Inbox Item or Case. Vault does not update the Team Caseload value when a Case Assignment Team is assigned.
- Vault updates the User Current Caseload field on the User Assignment Attributes records when a user is assigned to an Inbox Item or Case.
Inbox Items and Cases in a Completed state (for example, Promoted) do not count towards the Team Caseload or User Current Caseload. To view and edit the Completed states, go to Admin > Security > Safety General Settings > Case Completed. The Completed states for Inbox Item include Promoted and Rejected, which you cannot edit.
The Inbox Items and Cases that are assigned to this team or to a member of this team are listed in the Team Inbox Items and Team Cases sections, respectively. You can also create Inbox Items and Cases by expanding these sections and selecting Create. These records will automatically be assigned to this Case Assignment Team.
Manage Case Access Groups for Case Assignment Teams
- Navigate to Business Admin > Objects > Case Access Groups > Case Access Group.
- Open the applicable record.
- Select Edit.
- In the Details section, select an option for the Role Assignment Method field:
- All Users in Access Group: Grants all users in this Case Access Group access to edit the Inbox Item or Case.
- Users on Assigned Team: Grants only users in the assigned Case Assignment Team access to edit the Inbox Item or Case.
- Select Save.
Note: You cannot modify the Role Assignment Method field for the All Access or General Access groups.
How Vault Grants Case Access
Scenario 1: The Inbox Item or Case has an assigned Case Assignment Team
Vault checks the Role Assignment Method field value for this access group.
- If the Role Assignment Method is
Users on Assigned Team
, Vault grants the following permissions:- Team members in the Case Assignment Team have edit access and can be assigned to the Inbox Item or Case.
- Users in the set access group that are not assigned to any teams have edit access and can be assigned to the Inbox Item or Case.
- Users in this access group but not on this team are granted viewer access.
- If the Role Assignment Method is
All Users in Access Group
or blank, Vault defaults to existing Case Access Group security behavior.
Scenario 2: The Inbox Item or Case has no assigned Case Assignment Team
If the Case Assignment Team field is not populated for the Inbox Item or Case, Vault defaults to existing Case Access Group security behavior.
Strict Inbox Item Locking
Similar to strict Case locking, you can prevent users from editing an Inbox Item unless they are assigned to that Inbox Item in the Assigned To field (this field may be Locked By User
, depending on your Admin’s configuration). Once this field is populated, the Inbox Item is considered locked and assigned to that user only.
For Case Assignment Teams, the team leader and team members use this field for user assignment. However, you do not need to enable Case Assignment Teams to use this field.
To use strict Inbox Item locking, you must add this field to the Inbox Item layout and grant object lifecycle permissions.
Assign Case Access Groups and Roles to User Records
In addition to assigning users to Case Access Groups through Case Access Group records, you can assign users to Case Access Groups through User records. For each user, add as many User Access Group Assignments as required. On each record, you define the user’s role on Cases, as well as their access to unblinded and protected information and the countries they work in, if applicable. You can also set up a single user with multiple roles in a Case Access Group by creating multiple User Access Group Assignment records. To do this:
- Navigate to Business Admin > Objects > Users > [User].
- In the Case Access Group Assignment section, select Create.
- In the Create User Access Group Assignment window, populate the applicable fields.
- Select Save.
User Access Group Assignment Fields
Field | Description |
---|---|
User | This field is populated by Vault. |
Access Group | Select a Case Access Group from the picklist. |
Role | Select a Role from the picklist. This role is applied each time the user interacts with Cases for the Case Access Group. |
User Blinded | Select whether the user should have access to unblinded information for Cases within the selected Case Access Group. |
PII Access | Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group. |
Localization | Select the Localization for the user on Cases within the Case Access Group. Consider the following when completing this field:
|
Country | Select a Country from the picklist. |
Note: Depending on your configuration of the User object, you may see the Case Access Group Override field. When populated, all Inbox Items and Cases created by that user are assigned to the selected Case Access Group. System matching logic is not used in this scenario. This is useful, for example, for a global load balancing Case Processor who may enter a Case that would qualify for a specific group though it should be maintained at the global level.
Manage Access to PII and Unblinded Information
There are multiple ways to control access to PII and unblinded information on Inbox Items and Cases. For standard application roles, such as Data Entry and Medical Reviewer, we recommend that you configure them to hide PII and unblinded information. With Case Access Groups enabled, a user can be granted additional roles that provide access to PII and unblinded information for a given Case.
Assign Case Access by Local PV Email
You have the option of assigning user access to Inbox Items based on the sender’s email address. When this feature is enabled, Vault uses the sender’s email address for Case Access Group assignment over the standard assignment rules.
For more information about email intake to Inbox Item, see Manual Intake from Emails.
Prerequisites
Before using this feature, you must complete the following tasks:
- Configure Email to Vault Safety Inbox Item
- Enable Case Access Group Security
- Enable Case Access by Local PV Email
How Vault Assigns Access Groups from Email Intake
The diagrams in the following sections illustrate how Vault assigns access groups for Inbox Items created from email intake.
- Vault sets the Sender (Person) on the Inbound Transmission
- Vault sets the Access Group field on the Inbox Item
- Vault assigns access to Inbox Item documents
Vault Sets the Sender (Person) on the Inbound Transmission
- Vault receives an Inbox Item from an email.
- Vault checks if there is a Vault Person with the same email address as the sender and who belongs to an access group.
- If a Vault Person meets these criteria, Vault populates the Sender (Person) field on the Inbound Transmission. If multiple Vault Persons meet these criteria, Vault selects the record with the latest created date on the Inbound Transmission.
Vault Sets the Access Group Field on the Inbox Item
- If a Vault Person was used to populate the Sender (Person) on the Inbound Transmission, Vault uses their Case Access Group value to populate the Access Group value of the Inbox Item.
- Otherwise, Vault uses existing Case Access Group matching logic to populate the Access Group value of the Inbox Item.
Vault Assigns Access to Inbox Item Documents
After populating the Access Group value of the Inbox Item, Vault adds the users to the Sharing Settings for all documents linked to the Inbox Item based on the Access Group. Users are granted:
- Viewer role
- Manual Assignment access
When the Access Group value of the Inbox Item is updated, Vault removes the group of users from the documents’ Sharing Settings and adds the new users based on the updated Access Group.