# Converting User Security Policies You can use the _Convert Security Policy_ action to change a user's security policy assignment. This action allows flexibility to change a user's security policy without the need to create a new user account. You can change a security policy with a _Password_ or _Single-Sign On_ (SSO) authentication type and Cross-Domain security policies. The following security policy conversions are allowed: * [Password/SSO](/en/lr/1985/) to [Cross-Domain](/en/lr/38996/) * Password/SSO to [VeevaID](/en/lr/23050/) * Cross-Domain to Password/SSO If the user is logged into Vault when the security policy change occurs, the new security policy applies the next time they log in. If the user is in a delegated session, the new security policy applies when the delegate session ends. Converting a Password/SSO security policy to Cross-Domain or VeevaID fails if the user exists as an active or inactive Cross-Domain user in other Vault domains. This behavior prevents executing security policy conversions that may impact users on other Vault domains than the initiating Vault domain.
## Converting a User's Security Policy {#convert-user-security-policy} To begin changing a user's security policy, navigate to **Admin** > **Users & Groups** > **[User]** > **Actions** > **Convert Security Policy**. ### How to Convert Password/SSO to Cross-Domain {#password-sso-to-cross-domain} To convert a security policy with a _Password_ or _Single-Sign On_ authentication type to Cross-Domain: 1. In the **Convert Security Policy** dialog, select **Cross-Domain Security Policy** from the **New Security Policy** drop-down. 2. Enter the user's **New User Name**. The **New User Name** must match the user's home domain _User Name_. The email address must also match the user's home domain email address. In addition, the _User Name_ cannot be a duplicate of another user on the home domain. 3. Click **Save**. 4. Click **Continue** in the **Confirm Security Policy Update** dialog. A green success banner displays stating that the security policy was updated and the user received an email notification. If the security policy conversion updates the user's email address, they will receive a notification on their previous and new email address. ### How to Convert Password/SSO to VeevaID {#password-sso-to-veevaid} To convert a security policy with a _Password_ or _Single-Sign On_ authentication type to VeevaID: 1. In the **Convert Security Policy** dialog, select VeevaID from the **New Security Policy** drop-down. 2. Enter the user's **New User Name**. The **New User Name** must match an existing, active VeevaID user name. The user's email address must also match the VeevaID user's email address. In addition, the user name cannot already be associated with another user. 3. Click **Validate**. If no errors are returned, the dialog displays the VeevaID user's _First Name_, _Last Name_, and _Language_ for identity verification purposes. 4. Click **Save**. 5. Click **Continue** in the **Confirm Security Policy Update** dialog. You cannot undo this action. A green success banner displays stating that the security policy was updated and the user received an email notification. If the security policy conversion updates the user's email address, they will receive a notification on their previous and new email address. ### How to Convert Cross-Domain to Password/SSO {#cross-domain-to-password-sso} To convert a Cross-Domain security policy to a security policy with a _Password_ or _Single-Sign On_ authentication type: 1. In the **Convert Security Policy** dialog, select the Password/SSO security policy from the **New Security Policy** drop-down. 2. Enter the user's **New User Name**. You are not required to enter the domain portion of the email address as the security policy will exist on the current Vault domain. 3. Click **Save**. 4. Click **Continue** in the **Confirm Security Policy Update** dialog. A green success banner displays stating that the security policy was updated and the user received an email notification. If the security policy's authentication type is set to _Password_, a welcome email is not sent to the user. You can send the welcome email manually as needed. ## Limits {#convert-security-policy-limits} The following limits apply when converting a user's security policy assignment: * You cannot convert a VeevaID security policy to any other security policy. * You cannot convert a Cross-Domain security policy to VeevaID. However, you can convert a Cross-Domain security policy to a _Password_ or _Single-Sign On_ security policy, and then convert the user to the VeevaID security policy. * You cannot assign a VeevaID security policy to a Domain Admin. * You cannot perform the _Convert Security Policy_ action in bulk. ## Related Permissions {#convert-security-policy-permissions} The following permissions control your ability to use the _Convert Security Policy_ action: |Type|Permission Label|Controls| |--- |--- |--- | |Security Profile|Objects: User: Edit|Controls the ability to edit _User_ object records| |Security Profile|Objects: User: Object Action Permissions: Convert Security Policy: View, Execute|Controls the ability to view and use the _Convert Security Policy_ action| |Security Profile|Admin: Security: Users: Manage User Object|Controls ability to create, modify, and add _User_ object records| |Security Profile|Admin: Security: Users: Add Cross-Domain Users|Controls ability to convert a security policy to Cross-Domain| [0]: #convert-user-security-policy [1]: #password-sso-to-cross-domain [2]: #password-sso-to-veevaid [3]: #cross-domain-to-password-sso [4]: #convert-security-policy-limits [5]: #convert-security-policy-permissions