# Adding & Managing Object Lifecycle Roles

When you create a new object lifecycle, you can add custom application roles to an object lifecycle as well as edit role [permissions][1]. Vault automatically associates the standard _Editor, Consumer,_ and _Owner_ roles with the object lifecycle. You don't have to associate an object with a lifecycle to view or add roles.

You can view and manage roles for an object lifecycle from the **Admin > Configuration > Object Lifecycles > [Lifecycle] > Roles**. From this area, you can add, delete, or deactivate custom roles and edit permissions for roles or specific lifecycle states. You can also navigate to an object lifecycle by clicking on the lifecycle link from the associated object's detail page.

## How to Add Roles

To add a role:

  1. Click the **Add** button to open the **Search: Application Role** window.
  2. Click the plus **(+)** icon next to the role(s) you wish to add. You can select from existing application role records that have not already been added to the object lifecycle.
  3. Click **OK**.

## How to Remove Roles {#add-roles}

Removing roles only detaches them from the object lifecycle. There are no changes to the _Application Role_ record.

To remove a role:

  1. In the **Roles** section, hover over the role you wish to remove.
  2. Click the **X** (remove) icon.
  3. Click **Continue** in the confirmation window to confirm the action.

## How to Edit Role Permissions {#edit-role-permissions}

When you initially add a role, Vault automatically assigns the _Read_ permission to it. By default, the _Owner_ role has the _View_, _Edit_, and _Delete_ permissions.

To edit permissions:

  1. Navigate to **Admin > Configuration > Object Lifecycles > [Lifecycle] > Roles**.
  2. Click **Edit**.
  3. Use the checkboxes to assign or remove permissions for each role.
  4. Click **Save**. Permission changes take effect immediately.

## How to Edit Role Permissions on Lifecycle States {#edit-role-lifecycle-state-permissions}

When editing permissions on a custom role, you can also grant or remove the Read, _Edit_, _Delete_ permissions for a specific lifecycle state. Updating a permission on a role applies the permission to every lifecycle state. For example, if you grant the _Edit_ permission on a custom role, Vault applies that permission on all lifecycle states.

To edit permissions on lifecycle states:

  1. Navigate to **Admin > Configuration > Object Lifecycles > [Lifecycle] > Roles**.
  2. Click **Edit**.
  3. Click the arrow (expand) icon next to a role to reveal the lifecycle states.
  4. Use the checkboxes to assign or remove permissions for each state. The _Edit_ permission also grants the _Read_ permission while granting _Delete_ also grants the _Edit_ and _Read_ permissions.
  5. Click **Save**. Permission changes take effect immediately.

## Application Roles

When using Dynamic Access Control for documents, application roles (records in the _Application Role_ object) map to document lifecycle roles. In DAC for objects, you can use application roles directly on the object. The role on the object will have the same label as the _Application Role_ record.

You can create or edit application roles from **Admin > Users & Groups > Application Roles**.

## System-Managed Objects

Vault does not allow you to assign lifecycles on system-managed objects (_Performance Statistics_, etc.). These objects cannot support custom roles and cannot use Matching Sharing Rules.

If an object is system-managed, its **Details** tab shows **System-managed: Records managed by the System**.

 [1]: #edit-role-permissions