In Vault, each user has an assigned license type and security profile. Each security profile has one or more permission sets. The license type is the first level of access control that Vault applies to a user. Permission sets, applied through the user’s security profile, are the second level of access control. Both the license type and permission set must grant access to a user in order for that user to access the functionality. Other access control for a user is based on the user’s role permissions on a specific document, document type settings, and dynamic access control settings for individual object records.
Admins must have a permission set that grants the Admin: Users: Edit permission to change a user’s license type or security profile.
Note: For domain-level settings, a user must have the Domain Admin user setting in addition to a security profile that grants the correct permissions.
License Types
Vault includes the following license types:
- Full Users are the most common license type. Their license type does not block access to any functionality; these may be regular users or administrators. This is the only license type that allows a user to access Admin functionality. This license type also grants users access to FTP servers. While system-owned users operate with Full User licenses, they are not included in license counts.
- Read-only Users have extremely limited access. They cannot access reports or dashboards, edit documents, binders, or object records, initiate workflows, or access the Admin or Business Admin tab collections. They can sign Read & Understood workflow tasks, but cannot otherwise participate in workflows. With the required permissions, Read-only Users can view documents, including document field values and audit trails. They can view and download source files and renditions. They can also review object records, but not via the Business Admin tab collection. They cannot view the Lifecycle Stages Chevron panel on the Doc Info page or object record detail page. In Vaults that use Document Archive, Read-only Users cannot access the Archive tab.
- External Users are users outside your company who have slightly limited access; these users have most functionality, but Vault prevents them from accessing reports or dashboards, using bulk document action, or creating CrossLink documents. With the required permissions, they can access the Business Admin tab collection, but can only view object record lists, and they can manage anchors on a document. Note that External User accounts must use an email address with a different domain from the Vault’s domain. This license type also grants users access to FTP servers.
- Portal Users (eTMF only) have slightly limited access; they have most functionality, but cannot access Admin, use reports and dashboards, or see configured custom tabs. When creating documents or using the Study Selector, they can only see Study, Study Country, Study Site, and Product records to which an Admin has granted them access. In order to prevent them from seeing information about other sites, the search suggestion feature is not enabled for these users.
- Site Users (Clinical Operations only) have access to a tailored Vault homepage, and benefit from Site User privacy controls. Other Vault access is determined by the selected security profile. Note that this license type is not available in new implementations. Veeva Site Connect provides similar functionality, enabling sponsors and CROs on Clinical Operations Vaults to securely exchange documents, document requests, and data with sites on SiteVault Vaults.
- View-Based Users (PromoMats and Vault Medical only) have extremely limited access; these users can only view documents (including annotations) and download documents. The system tracks the number of document views across all users with this license type against a pre-purchased set of views for the Vault.
- Learners (Vault Training only) have significantly limited access. These users can view documents and complete training assignments.
Application License Types
Some Vaults use multiple applications, for example, a RIM Vault with Submissions and Registrations. In these Vaults, users have an Application License Type for each application they can access in addition to their License Type. Application License Type lets the system track available licenses at the application level but does not control a user’s access in most Vaults. A single user assigned to three (3) applications will use three licenses, not one (1).
When assigning the Application License Type for a user, you cannot select a type with greater permissions than those granted by the selected License Type.
| License Type | Available Application License Types |
|---|---|
| Full User | Full User, External User, Read Only User |
| External User | External User, Read Only User |
| Read Only User | Read Only User |
| Portal User | N/A |
| Site User | N/A |
Security Profiles
Security profiles are how Vault applies permission sets to individual users. Each profile has one or more associated permission sets.
Standard Security Profiles & Permission Sets
Vault includes several standard security profiles and associated permission sets. Each of these corresponds to a Vault user type from the previous releases and grants the same access as the user type. These are not editable, but Admins may disable them if needed.
| Security Profile | Permission Set | Description |
|---|---|---|
| Document User | Full User Actions | This profile grants full non-administrator application access (reports, workflows, etc.), but does not grant access to the Admin tab collection or to administrator actions (bulk update, merge anchors, create CrossLinks, etc.) in the Vault area. |
| Read-Only User | Read-Only User Actions | Permissions for this profile align with the Read-only Users license type access. |
| External User | External User Actions | Permissions for this profile align with the External User license type access. |
| Business Administrator | Business Administrator Actions | This profile grants “read” access to most parts of the Business Admin tab collection, edit access to some areas (create/edit/delete overlays, assign users to groups, etc.), and full access to all object records. The profile provides access many of the administrator actions in the Vault area (bulk update, merge anchors, create CrossLinks, etc.), but prevents access to some actions (cancel checkout, make saved views mandatory, “Vault Owner Actions,” etc). |
| System Administrator | System Administrator Actions | This profile grants “read” access to all of the Admin tab collection, edit access to all areas except Security Settings, and full access to all object records. The profile provides access to all of the administrator actions in the Vault area except those under “Vault Owner Actions” (All Document Read, Power Delete, etc.). |
| Vault Owner | Vault Owner Actions | This profile grants edit access to all of the Admin tab collection (including domain settings) and full access to all object records. (Users must also have the Domain Admin user profile setting to manage domain settings.) The profile provides access to all of the administrator actions in the Vault area including those under “Vault Owner Actions” (All Document Read, Power Delete, etc.). |
| Legal User | Legal Actions | This profile grants read, create, edit, and delete permission to records in the Legal Hold object. Users with this profile can apply and remove legal holds on documents. Users with this profile must have document role permissions to perform Legal Actions. |
| Portal Experience User | Portal Experience User Actions | This profile grants users the ability to access a Brand Portal without requiring additional access to Vault or in-depth Vault training. Users with this security profile only see Brand Portals and have no other access to or permissions in Vault. This is only available for PromoMats and MedComms Vaults. |
| View-Based User | View-Based User Actions | Permissions for this profile align with the View-Based Users license type access. This is only available for PromoMats and MedComms Vaults. |
| External IIS User | IIS External User Actions | This profile grants the ability to view, create, and edit Investigator Initiated Study records and to view IIS related records and documents. This is only available for Clinical Operations Vaults. |