Manage Case Access Group Security

Learn how to manage Access Groups that control team members’ ability to view and edit Inbox Items and Cases, as well as unblinded information.

Last Updated Apr 27, 2023

Sections in This Article

• About Case Access Group Security
• Prerequisites
• How the System Matches Cases to Case Access Groups
  • Case Access Group Field Matching
• Application Roles and Case Access Group Security
  • System-Provided Case Access Groups
• Add Case Access Groups
  • Create Case Assignment Rules
  • Create User Access Group Assignments
• Assign Case Access Groups and Roles to User Records
• Manage Access to PII and Unblinded Information

About Case Access Group Security

With Case Access Group Security, you assign individuals to groups and roles, including granular control over security for unblinded and personally identifiable information (PII). For each Access Group, you set up which Inbox Items and Cases are visible to the group based on such factors as region, report type, market segment, and organization. Users are then given a role on each group as applicable.

Some example use cases are creating Access Groups based on the following:

• Origin of the Case, for example, EMA, MHRA, Partner
• Product Type, for example, Cosmetics, Drugs
• Lifecycle state, for example, users with access to specific domestic and localized Cases can only see global Cases in the Approved state

For managing sensitive information, Case Access Group Security enables hiding only the fields that contain unblinded information and letting all other fields be viewable and editable. This is useful in such situations as follows:

• Surfacing Case Product data when doing so would not harm the integrity of the Study (for example, Concomitant or Standard of Care products)
• Allowing some team members to see and edit non-sensitive fields on blinded products, while sensitive fields (such as Product, Lot Number) remain protected
• Allowing some team members to see and edit all fields on non-Study products with a Drug Role of Concomitant or External

To ensure Case Access Groups provide the simplest and most effective security solutions, contact Veeva Managed Services for a consultation.

Note For intake, Case Access Groups are available for Inbox Items only. They are not supported for AERs.

Prerequisites

Consider the following prerequisites for setting up Case Access Groups:

• You have consulted with Veeva Managed Services about your needs and received their recommendations for Case Access Group setup.
• Your Admin must have enabled Case Access Group Security.

How the System Matches Cases to Case Access Groups

For Inbox Items and Cases, the system grants access to the Case Access Group that is the most specific match, based on the following criteria:

• Sponsor
• Country
• Report Type
• Study Type
• Study
• Origin
• Intake Method and Format
• Market Segment

Toggle through the following tabs to see diagrams that illustrate system-selection of the most specific Case Access Group.

• Case 000001
• Case 000002

• 
• 

Case Access Group Field Matching

The system applies the following logic when matching Inbox Item and Case fields to Case Access Groups Assignment fields:

• To be considered a match, the field on the Inbox Item or Case must have a value. Blank fields are never evaluated when matching.
• To match based on Intake Type, both the Intake Format and Intake Method must be populated.

The following table shows how the system matches the fields on the Case Access Group Assignment record to the fields on the Inbox Item and Case.

Case Access Group Assignment Field	Inbox Item	Case
Sponsor (sponsor__v)	Organization (organization__v)	Organization (organization__v)
Report Type (report_type__v)	Report Type (report_type__v)	Report Type (report_type__v)
Country (country__v)	Country (country__v)	Event Country (event_country__v)
Study (study__v)	Study (study__v)	Study (study__v)
Study Type (study_type__v)	(study__v.study_type__v)	Study Type (study_product_reason__v)
Origin (origin__v)	(inbound_transmission.origin__v)	(inbound_transmission.origin__v)
Intake Format (intake_format__v)	Intake Format (intake_format__v)	Intake Format (intake_format__v)
Intake Method (intake_method__v)	Intake Method (intake_method__v)	Intake Method (intake_method__v)
Market Segment (market_segment__v)	Market Segment (market_segment__v)	Market Segment (market_segment__v)

Application Roles and Case Access Group Security

While each user is assigned an application role to control their access to Case-related data and workflows at an organization level, with Case Access Groups you can control access to personally identifiable information (PII) and unblinded information at the object and field levels.

For each Case Access Group a team member is assigned to, you specify their application role within that group. When they are processing Cases for the associated Access Group, that application role determines their role on the Case. This enables you, for example, to give a Case Processor the ability to view unblinded information for some product types and sponsors, when they do not have access to view that information at the organization level. Follow your organization’s process when assigning roles.

Vault Safety maps the user’s application role from the parent record to all child records. This means, for example, that if a user is a Viewer on a Case, they will also be a Viewer on all of the Case child records. Their access to PII and unblinded information is also mapped to the child records.

System-managed roles for Case Access Groups include the following:

• Viewer
• Editor
• PII Unmasked
• Study Unmasked

Note Assigning users to the appropriate role is part of the consultation with Veeva Managed Services.

System-Provided Case Access Groups

We recommend assigning team members to your organization’s custom Case Access Groups. However, Vault Safety also includes system-provided groups. The following table describes the default Case Access Groups, along with their access, benefits, and limitations.

Case Access Group	Access	Benefit	Limitation
General Access Group	Inbox Items and Cases assigned to the General Access Group and with no Case Access Group assignment are visible to members of this group.	This may be beneficial for organizations where all users have access to all Cases.	Cases accessible to this group may be difficult to predict. We recommend against using this group for team members who should have limited access to Inbox Items and Cases. This includes, for example, Sponsor users in a Contract Research Organization (CRO) Vault.
All Access Group	All Inbox Items and Cases are visible to members of this group. Cases are never assigned to this Case Access Group.	Available for senior staff who should have access to all Inbox Items and Cases.	We recommend against using this group for CROs, since it could result in an individual accessing Cases across all Sponsors.

Add Case Access Groups

Complete the following steps to add Case Access Groups:

1. Go to Business Admin > Objects > Case Access Groups.
2. Select Create.
3. In the Details section, enter a Group Name and API Name.
4. Select Save.

Create Case Assignment Rules

Within a Case Access Group, you can create as many Case Assignment Rules as required. We recommend using the simplest configurations whenever possible.

Sponsor is the only required field on a Case Assignment Rules record.

1. In the selected Case Access Group, in the Case Assignment Rules section, select Create.
2. Complete the Create Case Access Group Assignment fields.
3. Select Save.

Field	Description
Access Group	This is populated by the system based on the associated Case Access Group.
Sponsor	Select the Organization for Inbox Items and Cases that will be accessible to the selected Case Access Group.
Report Type	(Optional) Select a Report Type from the picklist.
Country	(Optional) Select a Country from the picklist.
Origin	(Optional) Select the sending organization for a given case. For example, select EMA to limit the Case Access Group to Cases downloaded from EudraVigilance.
Intake Format	(Optional) Select an intake format from the picklist. Note When using Intake Format as a matching criteria, the Intake Method field must also be used.
Intake Method	(Optional) Select an intake method from the picklist. Note When using Intake Method as a matching criteria, the Intake Format field must also be used.
Study Type	(Optional) Select a Study Type from the picklist.
Study	(Optional) Select a Study from the dropdown list.
Market Segment	(Optional) Select the Market Segment associated with the Study for Study Cases or the primary Product for postmarket Cases.

Create User Access Group Assignments

Within a Case Access Group, you can assign as many users to the Access Group as required. You can also set up a single user with multiple roles by creating multiple User Access Group Assignment records.

1. In the selected Case Access Group, in the User Access Group Assignment section, select Create.
2. Complete the Create User Access Group Assignment fields.
3. Select Save.

Field	Description
User	Select a user from the dropdown list.
Role	Select the applicable Role for the user on Cases within the selected Case Access Group. Users with multiple roles will require multiple User Access Group Assignment records.
User Blinded	Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access	Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization	Select the localization for the user on Cases within the Case Access Group. To give access to global Cases only, leave this field blank. To give access to all Cases in a localization and read-only access to global Cases, enter a specific localization. To give access to all global and localized Cases, enter “Global”.

Assign Case Access Groups and Roles to User Records

In addition to assigning users to Case Access Groups through Case Access Group records, you can assign users to Case Access Groups through User records.

For each user, add as many User Access Group Assignments as required. On each record, you define the user’s role on Cases, as well as their access to unblinded and protected information and the countries they work in, if applicable. You can also set up a single user with multiple roles in a Case Access Group by creating multiple User Access Group Assignment records.

1. Go to Business Admin > Objects > Users > [user].
2. In the User Access Group Assignment section, select Create.
3. Complete the Create User Access Group Assignment fields.
4. Select Save.

Field	Description
Name	This field is populated by the system.
Access Group	Select a Case Access Group from the picklist.
Role	Select a Role from the picklist. This role is applied each time the user interacts with Cases for the Case Access Group.
User Blinded	Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access	Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization	Select the localization for the user on Cases within the Case Access Group. To give access to global Cases only, leave this field blank. To give access to all Cases in a localization and read-only access to global Cases, enter a specific localization. To give access to all global and localized Cases, enter “Global”.

Manage Access to PII and Unblinded Information

Vault Safety includes multiple ways to control access to PII and unblinded information on Inbox Items and Cases. For standard application roles, such as Data Entry and Medical Reviewer, we recommend that you configure them to hide PII and unblinded information. With Case Access Groups enabled, a user can be granted additional roles that provide access to PII and unblinded information for a given Case.

---

Configure User Access to Inbox Items

← Previous

Manage the MedDRA Dictionary

Next →

Related Docs

• Configure Aggregate Reporting Families
• Configure Blind Protection Relatedness Override
• Manage the IMDRF Dictionary
• Manage the MedDRA Dictionary