# Configuring Custom Sharing Rules for Objects

Custom Sharing Rules is part of [Dynamic Access Control](/en/lr/33946/) for object records. When using Custom Sharing Rules (rather than Matching Sharing Rules) for an object, Vault manages users' roles on specific object records by matching rule criteria to specific user assignments. For example, on _Marketing Campaign_ records where the _Agency_ is _DKI Direct_, _Gladys_ is an _Editor_ and _Thomas_ is an _Owner_.

You can enable Custom Sharing Rules for specific objects to provide a more granular level of security for one object without affecting others.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: When implementing any custom security or access control, Admins should perform UAT (User Acceptance Testing) before making changes on a production site. Some changes can affect application-specific functionality in ways that make Vault difficult to use.</p>
    </div>
  </div>
</div>



## Configuration Overview

Before starting any Custom Sharing Rules implementation, we recommend that you consult Veeva Services. You should have a plan in place for the sharing rules you will create.

We recommend enabling [Configuration Mode](/en/lr/36928/) while completing the following tasks. Once you enable Custom Sharing Rules for an object, all users will lose access to the object records until you've fully configured the rules.

1. Create user groups that you plan to use in your sharing rules from **Admin > Users & Groups > Groups**.
1. From **Admin > Configuration > Objects > [Object] > Details**, enable **Custom Sharing Rules**. You can return to the object configuration page at any time and disable Custom Sharing Rules. If you are not also using Matching Sharing Rules, the previous functionality returns immediately: security profiles provide object-level control over editing object records and all users can view or select all records.
1. Optional: Select the **Use Action Security to control Sharing Settings** checkbox. This allows you to [configure action security on sharing settings](/en/lr/33946/#secure_sharing_settings) to control user access to sharing settings for each record, role, and lifecycle state.
1. From **Admin > Configuration > Objects > [Object]**, navigate to the **Sharing Rules** tab. Set up custom sharing rules to assign users and groups to specific roles on object records.

##  Custom Sharing Rules {#custom-sharing-rules}

When creating a sharing rule, you'll first define a query against the records for an object, and then select users and groups to assign to a specific role on all records that match your query.


### Demo: Custom Sharing Rules {#custom-sharing-rules-demo}


This video demonstrates how to use custom sharing rules on reports.
<video controls width=860 height =504 poster="https://platform.veevavault.help/assets/images/posters/2026-custom-sharing-rules.png" preload="metadata">
    <source src="https://platform.veevavault.help/108e9b1d-559c-4d48-918b-1e4c5b5a533c/bec4ac4b-c8da-49c6-883d-d94477abdef7/bec4ac4b-c8da-49c6-883d-d94477abdef7_source__v.mp4" type="video/mp4" >
    
    <track
    label="English"
    kind="subtitles"
    srclang="en"
    src="/en/lr/assets/captions/custom_sharing_rules_on_reports.vtt"
    default />
    </video>

[Details](/en/lr/676778/)


### How to Create Sharing Rules

To create a sharing rule:

  1. Navigate to the object configuration details: **Admin > Configuration > Objects**, and then click on the specific object.
  2. Click into the **Sharing Rules** tab.
  3. Enter a descriptive **Label** for the rule. The label will be visible in the object records' **Sharing Settings**.
  4. Enter a **Name** for the rule. This will be visible through the Vault API.
  5. Optional: Enter a **Description**. The description only appears in the sharing rule's details page.
  6. Under **Rule Criteria**, define the query parameters by selecting an object field, operator, and value. Create additional rows by clicking **Add condition**. Remove rows by clicking the minus (**-**) icon.
  7. Click **Save**.
  8. In the **Roles** panel, click **+ Add** to select users/groups and the roles they should receive. In the dialog, select a **Role** and one or more **Users and Groups**, then click **Save**. Repeat this step to add all the needed assignments.
  9. If you make a mistake assigning access or need to remove a user/group later, use the actions menu on the individual assignment and select **Remove**.

When you initially create a rule or modify the query for an existing rule, Vault must reindex records to apply the new settings. This may take several minutes.

### How to Modify Sharing Rules

To modify a sharing rule, return to the **Sharing Rules** tab on the object configuration and click into a specific rule:

1. Click **Edit** to change the label, name, description, or query.
1. In the **Roles** section, use the **Add +** button to create new user/group assignments in the rule. Use the actions menu on each assignment row to remove a user/group assignment from the rule.
1. Click **Delete** to permanently remove the rule.

## Rule Criteria

Under **Rule Criteria**, you define a query against the object's records. For example, all _Product_ records where the _Therapeutic Area_ equals _Veterinary_. Rule Criteria accepts a VQL query. This is only appropriate for technical users but allows you to define a complex query. Learn more about [VQL for sharing rules](/en/lr/1037069/).

### Available Fields

Sharing rule criteria can use fields from the object that is being queried, including fields that reference another object. They cannot use fields that belong to referenced objects, aside from the label field. For example, a query on _Site_ could use _Site Status_ and _Study Number_, but could not use _Study Type_ because that field belongs to a different object.

All field types except _DateTime_ and _Formula_ are available.

## Sharing Settings {#sharing-settings}

When you configure custom sharing rules or matching sharing rules for an object, the page layout includes a **Sharing Settings** section. Here, you can control the roles that each user has for specific object records.

## Related Permissions

To enable and set up Custom Sharing Rules, your security profile must grant the **Admin > Objects > Edit** permission.