Manage Case Access Group Security

Learn how to manage Access Groups that control team members’ ability to view and edit Inbox Items and Cases, as well as unblinded information.

Last Updated

Note Beginning with 24R1 in April 2024 and for all subsequent releases, Vault Safety General Release Help content is moving to a new site. Test the new site using Limited Release content.

About Case Access Group Security

With Case Access Group Security, you assign individuals to groups and roles and have granular control over security for unblinded and personally identifiable information (PII). For each Access Group, you set up which Inbox Items and Cases are visible to the group based on such factors as region, report type, market segment, country, and organization. Users are then given a role on each group as applicable.

Some example use cases are creating Access Groups based on the following:

  • Origin of the Case, for example, EMA, MHRA, Partner
  • Product Type, for example, Cosmetics, Drugs
  • Lifecycle state, for example, users with access to specific Domestic and Localized Cases can only see Global Cases in the Approved state

For managing sensitive information, Case Access Group Security enables hiding only the fields that contain unblinded information and letting all other fields be viewable and editable. This is useful in such situations as follows:

  • Surfacing Case Product data when doing so would not harm the integrity of the Study (for example, Concomitant or Standard of Care products)
  • Allowing some team members to see and edit non-sensitive fields on blinded Products, while sensitive fields (such as Product, Lot Number) remain protected
  • Allowing some team members to see and edit all fields on non-Study Products with a Drug Role of Concomitant or External

To ensure Case Access Groups provide the simplest and most effective security solutions, contact Veeva Managed Services for a consultation.

Note For intake, Case Access Groups are available for Inbox Items only. They are not supported for AERs.

Prerequisites

Consider the following prerequisites for setting up Case Access Groups:

  • You have consulted with Veeva Managed Services about your needs and received their recommendations for Case Access Group setup.
  • Your Admin must have enabled Case Access Group Security.

How the System Matches Cases to Case Access Groups

For Inbox Items and Cases, the system grants access to the Case Access Group that is the most specific match, based on the following criteria:

  • Sponsor
  • Country
  • Report Type
  • Study Type
  • Study
  • Origin
  • Intake Method and Format
  • Market Segment

For criteria that your organization doesn’t need to match against, leave those fields blank. The system considers blank values to mean “Any” when matching. The result is that you can set up fewer Case Access Group Assignment Rules.

Note To match based on Intake Type, both the Intake Format and Intake Method fields must be populated.

Toggle through the following tabs to see diagrams that illustrate system-selection of the most specific Case Access Group.

The following table shows how the system matches the fields on the Case Access Group Assignment record to the fields on the Inbox Item and Case.

Case Access Group Assignment Field Inbox Item Case
Sponsor
(sponsor__v)		 Organization
(organization__v)		 Organization
(organization__v)
Report Type
(report_type__v)		 Report Type
(report_type__v)		 Report Type
(report_type__v)
Country
(country__v)		 Country
(country__v)

Reporter Country
(reporter_country__v)

If the Reporter Country field is blank, the system matches to Event Country
(event_country__v)
Study
(study__v)		 Study
(study__v)		 Study
(study__v)
Study Type
(study_type__v)		 (study__v.study_type__v) Study Type
(study_product_reason__v)
Origin
(origin__v)		 (inbound_transmission.origin__v) (inbound_transmission.origin__v)
Intake Format
(intake_format__v)		 Intake Format
(intake_format__v)		 Intake Format
(intake_format__v)
Intake Method
(intake_method__v)		 Intake Method
(intake_method__v)		 Intake Method
(intake_method__v)
Market Segment
(market_segment__v)		 Market Segment
(market_segment__v)		 Market Segment
(market_segment__v)

Note If your Admin has configured your Vault to display Inbound Transmission records on Inbox Items and Cases and enabled the Case Access Group and Case Access Group Assignment Reason fields on the record, they provide details on which Case Access Group was assigned to a Case and why.

Application Roles and Case Access Group Security

While each user is assigned an application role to control their access to Case-related data and workflows at an organization level, with Case Access Groups you can control access to personally identifiable information (PII) and unblinded information at the object and field levels.

For each Case Access Group a team member is assigned to, you specify their application role within that group. When they are processing Cases for the associated Access Group, that application role determines their role on the Case. This enables you, for example, to give a Case Processor the ability to view unblinded information for some product types and sponsors, when they do not have access to view that information at the organization level. Follow your organization’s process when assigning roles.

Note When assigning access to Case Product Registration values, the system considers the user’s role across both Global and Localized Cases and grants the more permissive role. For example, if the user has the Editor role on Localized Cases and the Viewer role on Global Cases, they will have the Editor role on Case Product Registration values.

Vault Safety maps the user’s application role from the parent record to all child records. This means, for example, that if a user is a Viewer on a Case, they will also be a Viewer on all of the Case child records. Their access to PII and unblinded information is also mapped to the child records.

System-managed roles for Case Access Groups include the following:

  • Viewer
  • Editor
  • PII Unmasked
  • Study Unmasked

Note Assigning users to the appropriate role is part of the consultation with Veeva Managed Services.

System-Provided Case Access Groups

We recommend assigning team members to your organization’s custom Case Access Groups. However, Vault Safety also includes system-provided groups. The following table describes the default Case Access Groups, along with their access, benefits, and limitations.

Case Access Group Access Benefit Limitation
General Access Group Inbox Items and Cases assigned to the General Access Group and with no Case Access Group assignment are visible to members of this group. This may be beneficial for organizations where all users have access to all Cases.

Cases accessible to this group may be difficult to predict.

We recommend against using this group for team members who should have limited access to Inbox Items and Cases. This includes, for example, Sponsor users in a Contract Research Organization (CRO) Vault.
All Access Group All Inbox Items and Cases are visible to members of this group. Cases are never assigned to this Case Access Group. Available for senior staff who should have access to all Inbox Items and Cases. We recommend against using this group for CROs, since it could result in an individual accessing Cases across all Sponsors.

Add Case Access Groups

Complete the following steps to add Case Access Groups:

  1. Go to Business Admin > Objects > Case Access Groups.
  2. Select Create.
  3. In the Details section, enter a Group Name and API Name.
  4. Select Save.

Create Case Assignment Rules

Within a Case Access Group, you can create as many Case Assignment Rules as required. We recommend using the simplest configurations whenever possible.

Sponsor is the only required field on a Case Assignment Rules record.

  1. In the selected Case Access Group, in the Case Assignment Rules section, select Create.
  2. Complete the Create Case Access Group Assignment fields.
  3. Select Save.
Field Description
Access Group This is populated by the system based on the associated Case Access Group.
Sponsor Select the Organization for Inbox Items and Cases that will be accessible to the selected Case Access Group.
Report Type (Optional) Select a Report Type from the picklist.
Country (Optional) Select a Country from the picklist.
Origin (Optional) Select the sending organization for a given case.

For example, select EMA to limit the Case Access Group to Cases downloaded from EudraVigilance.
Intake Format (Optional) Select an intake format from the picklist.

Note When using Intake Format as a matching criteria, the Intake Method field must also be used.
Intake Method (Optional) Select an intake method from the picklist.

Note When using Intake Method as a matching criteria, the Intake Format field must also be used.
Study Type (Optional) Select a Study Type from the picklist.
Study (Optional) Select a Study from the dropdown list.
Market Segment (Optional) Select the Market Segment associated with the Study for Study Cases or the primary Product for postmarket Cases.

Create User Access Group Assignments

Within a Case Access Group, you can assign as many users to the Access Group as required. You can also set up a single user with multiple roles by creating multiple User Access Group Assignment records.

  1. In the selected Case Access Group, in the User Access Group Assignment section, select Create.
  2. Complete the Create User Access Group Assignment fields.
  3. Select Save.
Field Description
User Select a user from the dropdown list.
Role Select the applicable Role for the user on Cases within the selected Case Access Group. Users with multiple roles will require multiple User Access Group Assignment records.
User Blinded Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization Select the Localization for the user on Cases within the Case Access Group.
  • To give access to Global Cases only, leave this field blank.
  • To give access to all Cases in a Localization and read-only access to Global Cases, enter a specific Localization.
  • To give access to all Global and Localized Cases, enter “Global”.
Country Select a country from the picklist.

Manage Case Assignment Teams

In scenarios where the Case volume demands more management and Case processing effort, Case Assignment Teams can be used.

A Case Assignment Team consists of a group of users, typically with a team leader, that manages a subset of Cases. The subset can be based on certain Case types (for example, Study Cases), Country, or localization-specific Cases. Or, it can simply be a division of volume. You can add multiple Case Assignment Teams to a Case Access Group.

Once a Case Access Group is set on the Case, a user can then select a Case Assignment Team within this access group, after considering the Intake or Case Processing task. Edit access to the Case Assignment Team field can be restricted with field permissions.

Afterwards, there are two (2) assignment options:

  • Team Assignment: The team leader assigns the Case to a team member.
  • Manual Assignment: A team member assigns the Case to themselves.

These assignments can also be restricted using permissions. Once an Inbox Item or Case is assigned to a user, it is locked. See Strict Inbox Item Locking and Strict Case Locking for more information.

On the Inbox Item and Case tab of the user side of your Vault, team leaders and members can filter or create an Inbox Item View or Case View to display only Inbox Items and Cases assigned to their Case Assignment Team or to themselves.

Note To assign a Case Assignment Team, an Access Group must first be set on the Case.

Prerequisites

Before adding Case Assignment Teams, you must enable Case Assignment.

Create a Case Assignment Team

Follow the steps below to create Case Assignment Teams:

  1. Go to Business Admin > Objects > Case Assignment Teams and select Create.
  2. Complete the following information:
    • Name: Enter a name for this Case Assignment Team.
    • Status: Ensure this field is set to Active.
    • Case Access Group: Select a Case Access Group from the picklist.
    • Team Leader: (Optional) Select a user to be the team leader. This user can assign team members to Inbox Items and Cases.
  3. Save the page.
    Once you save the page, additional sections appear.
  4. Expand the Team Members section and select Add.
    A Search: User window appears.
  5. Select the users you want to add to add to this Case Assignment Team. You can select multiple users at once and filter for a more specific list.
  6. Select OK.

When a user is added to or removed from a Case Assignment team, the system updates the Total Team Members field in the Team Capacity section. The system also updates the Team Caseload field when a team member on the Case Assignment Team is assigned a new Inbox Item or Case.

Note Team Caseload is updated only when a team member is assigned to the Case or Inbox Item, not when a Case Assignment Team is assigned.

Similarly, the system updates the User Current Caseload field on the Business Admin > User Assignment Attributes records when a user is assigned to an Inbox Item or Case.

Inbox Items and Cases in a Completed state (for example, Promoted) do not count towards the Team Caseload or User Current Caseload. To view and edit the Completed Case states, go to Admin > Security > Safety General Settings > Case Completed field. Inbox item Completed states include Promoted and Rejected, which cannot be edited.

The Inbox Items and Cases that are assigned to this team or to a member of this team are listed in the Team Inbox Items and Team Cases sections, respectively. You can also create an Inbox Item and Case by expanding these sections and selecting Create. These records will automatically be assigned to this Case Assignment Team.

After saving the record, you can find this Case Assignment Team linked in the specified Case Access Group under the Case Assignment Teams section.

Manage Case Access Groups for Case Assignment Teams

Go to Business Admin > Objects > Case Access Groups and select a Case Access Group.

When you create a Case Assignment Team, the record is automatically linked in the specified Case Access Group under the Case Assignment Teams section. You can also create new Case Assignment Teams for this Case Access Group from this section.

In the Details section, select an option for the Role Assignment Method field:

VALUE DESCRIPTION
All Users in Access Group Grants all users in this Case Access Group edit access to the Inbox Item or Case.
Users on Assigned Team Grants only users in the assigned Case Assignment Team edit access to the Inbox Item or Case.

Note You cannot populate the Role Assignment Method field for the All Access or General Access groups.

How the System Grants Case Access

Scenario 1: The Inbox Item or Case has an assigned Case Assignment Team

The system checks the Role Assignment Method field value for this Access Group.

  1. If the Role Assignment Method is set to Users on Assigned Team, the system grants the following permissions:
    • Team members in the set Case Assignment Team have edit access and can be assigned to the Inbox Item or Case.
    • Users in the set Access Group that are not assigned to any teams have edit access and can be assigned to the Inbox Item or Case.
    • Users in this Case Access Group but not on this team are granted viewer access.
  2. If the Role Assignment Method is set to All Users in Access Group or is left blank, the system defaults to existing Case Access Group security behaviour.

Scenario 2: The Inbox Item or Case has no assigned Case Assignment Team

If the Case Assignment Team field is not set on the Inbox Item or Case, the system defaults to existing Case Access Group security behavior.

Strict Inbox Item Locking

Similar to strict Case locking, users can be prevented from editing an Inbox Item unless they are assigned to that Inbox Item in the Assigned To field (this field may appear as “Locked By User”, depending on your Admin’s configuration).

Once this field is set, the Inbox Item is considered locked and assigned to that user only.

For Case Assignment Teams, the team leader and team members use this field for user assignment. However, you do not need to enable Case Assignment Teams to use this field.

To use strict Inbox Item locking, your Admin must add this field to the Inbox Item page layout.

Assign Case Access Groups and Roles to User Records

In addition to assigning users to Case Access Groups through Case Access Group records, you can assign users to Case Access Groups through User records.

For each user, add as many User Access Group Assignments as required. On each record, you define the user’s role on Cases, as well as their access to unblinded and protected information and the countries they work in, if applicable. You can also set up a single user with multiple roles in a Case Access Group by creating multiple User Access Group Assignment records.

  1. Go to Business Admin > Objects > Users > [user].
  2. In the User Access Group Assignment section, select Create.
  3. Complete the Create User Access Group Assignment fields.
  4. Select Save.
Field Description
Name This field is populated by the system.
Access Group Select a Case Access Group from the picklist.
Role Select a Role from the picklist. This role is applied each time the user interacts with Cases for the Case Access Group.
User Blinded Select whether the user should have access to unblinded information for Cases within the selected Case Access Group.
PII Access Select whether the user should have access to personally identifiable information (PII) for Cases within the Case Access Group.
Localization Select the Localization for the user on Cases within the Case Access Group.
  • To give access to Global Cases only, leave this field blank.
  • To give access to all Cases in a Localization and read-only access to Global Cases, enter a specific localization.
  • To give access to all Global and Localized Cases, enter “Global”.
Country Select a country from the picklist.

Note Depending on your Admin’s configuration of User records, you may see the Case Access Group Override field. When populated, all Inbox Items and Cases created by that user are assigned to the selected Case Access Group. System matching logic is not used in this scenario. This is useful, for example, for a global load balancing Case Processor who may enter a Case that would qualify for a specific group though it should be maintained at the global level.

Manage Access to PII and Unblinded Information

Vault Safety includes multiple ways to control access to PII and unblinded information on Inbox Items and Cases. For standard application roles, such as Data Entry and Medical Reviewer, we recommend that you configure them to hide PII and unblinded information. With Case Access Groups enabled, a user can be granted additional roles that provide access to PII and unblinded information for a given Case.

Assign Case Access by Local PV Email

You have the option of assigning user access to Inbox Items based on the sender’s email address. When this feature is enabled, the system uses the sender’s email address for Case Access Group assignment over the standard Case Access Group assignment rules.

For more information about email intake to Inbox Item, see Manual Intake from Emails.

Prerequisites

Before using this feature, you must complete the following tasks:

How the System Assigns Access Groups from Email Intake

The diagrams in this section illustrate how the system assigns Access Groups for Inbox Items created from email intake.

  1. The system sets the Sender (Person) on the Inbound Transmission.
  2. The system sets the Access Group field on the Inbox Item.
  3. The system assigns access to Inbox Item documents.

A. The system sets the Sender (Person) on the Inbound Transmission:

access-group-email-intake-diagram-a
Diagram A: The System Sets the Sender (Person) on the Inbound Transmission
  • 1Vault Safety receives an Inbox Item from an email.
  • 2The system checks if there is a Vault Person with the same email address as the sender and who belongs to an Access Group.
  • 3If a Vault Person meets these criteria, the system sets the Sender (Person) field on the Inbound Transmission.
    If multiple Vault Persons meet these criteria, the system sets the one with the latest created date on the Inbound Transmission.

B. The system sets the Access Group field on the Inbox Item:

access-group-email-intake-diagram-b
Diagram B: The System Sets the Access Group on the Inbox Item
  • 1If a Vault Person was used to set the Sender (Person) on the Inbound Transmission, the system uses their Case Access Group field to set the Inbox Item Access Group.
  • 2Otherwise, the system uses existing Case Access Group matching logic to populate the Inbox Item Access Group.

C. The system assigns access to Inbox Item documents:

After populating the Inbox item Access Group, the system adds the users to the Sharing Settings for all Documents linked to the Inbox Item based on the Access Group.

Users are granted: Viewer role Manual Assignment access

If the Inbox Item Access Group is updated, the system removes the group of users from the Documents’ Sharing Settings and adds the new users based on the updated Access Group.

Manage Users & Groups
Manage the MedDRA Dictionary
Next →

Related Docs

Feedback?