This article explains how to manage user accounts in a Vault from the Admin > Users & Groups > Vault Users page with the User object. Managing users with the flexibility of Vault object record layouts allows you to create reports based on user data, create custom fields, configure field-level security, reference users directly from documents with lookup fields, inline edit from User record list pages, download User records to PDF, and more. User accounts exist at the domain level, so in multi-Vault domains, user details are shared across Vaults.
Note: Starting in the 20R1 release, you create all users with the User object. You can access the User object record list page from the Admin > Users & Groups > Vault Users page, Business Admin > Objects > Users, or a custom User object tab, if available.
About the User & Person Objects
The User object contains a record for each existing member of your Vault, while the Person object allows you to add individuals who aren’t domain users to your Vault. See About the User & Person Objects for more details about these objects, the Vault Membership lifecycle, and more.
Note: The User object is provisioned with multiple system-owned user records that appear in all Vaults. These accounts are used to capture actions that are performed by Vault instead of by a user. Although these records are visible when viewing and exporting the User record list, the records are not included in license counts, are read-only, and cannot be referenced by another User or document. The System user record is inactive, is not synchronized with Legacy Users, and does not appear in the Users & Groups tab.
Accessing User Management
To access the user administration area, navigate to Admin > Users & Groups > Vault Users. You can also access the User object record list page from Business Admin > Objects > Users or a custom User object tab, if available.
Domain Admins have additional options when managing users.
System Managed Users
Vault uses System Managed User accounts to execute various actions and processes. These user accounts are read-only and are not included in license counts. System Managed Users vary by application and may include:
- System
- Application Owner
- Java SDK Service Account
- MyVeeva Integration User
- Clinical Survey Respondent
- Clinical Transfer
System Managed Users have the following user object field settings:
- System Owned User:Yes
- Email: no-reply@veeva.com
- Security Policy: System Managed
System Managed Users do not appear in picklists when selecting users for data entry purposes (documents, object records, configurations) such as selecting users on a user object reference field, or manually assigning a user into a role for a document or object. However, when selecting users for search or filtering purposes, System Managed Users are included. For example, System Managed Users appear in picklists when filtering audit log entries by user, when using filters or conditional filters on Vault Reports, or when selecting users while searching for documents or object records (such as filtering on the Created by field).
Understanding Vault User Name & Email Address
In Vault, all user names include the domain name your company uses for its Vaults. The user name format is username@domainname, for example, bruce.ashton@veevapharm.com. Although the user name has the same format as an email address, Vault does not send email notifications to the user name. Vault only sends email notifications to the address in the Email field.
How to Create New User Accounts
To create a new user account:
- From the Vault Users page, click Create.
- Select an existing Domain User. If a domain user doesn’t exist, select Create Domain User from the drop-down and fill in the required fields in the dialog.
- Fill in the basic user information: First Name, Last Name, User Name, Email.
- Fill in the user’s contact information such as Company, Title, and more. Asterisks indicate required fields.
- Select a Locale and Language for the user. These options control localization options for the user (number and date formats and label language, respectively). Duplicate locales are appended with the language they correspond to, such as Canada (English), Canada (French), Hong Kong (Chinese Simplified), and Hong Kong (Chinese Traditional).
- Select a Timezone for the user. Vault stores time and date information in UTC (Coordinated Universal Time), but displays that information to users in their time zones.
- Optional: In the Edit Localized Labels field, select a language to allow the user to view and modify localized labels alongside labels in the Vault’s base language. This field is only available when multilingual labels are enabled in your Vault.
- Configure the user account activation, if needed.
- Select a License Type, and Security Profile. If the License Type field is not visible, manage application-specific licensing from the Application Licensing section in step 11. If your domain includes multiple Vaults, Vault checks to see if the user name exists in another Vault and auto-fills some fields based on the existing user information.
- Optional: Configure the user’s Email Preferences.
- Optional: Select a license value for each application underneath the Application Licensing section. You must select a license value for at least one application. Some license values may be unavailable depending on the application.
- Set any optional fields as needed.
- Click Save. New users are active immediately unless you selected a later activation date. Vault requires them to update their password the first time they log in.
When new supported languages are introduced, they are available in Limited Release Vaults before they are supported in General Release Vaults. If a user has access to both Limited Release and General Release Vaults and you set the Language field to a language that is only available for Limited Release, they will see some errors in the General Release Vault. To fix this, select a language that is supported in both Vaults.
Note: The Usage Level field is inactive and not available for use.
How to Manage User Account Activation
You can configure these settings as needed when you add a new user:
- Activation Date
- If you select a future activation date, the user will stay in the Pending state until the selected date, when the user will be automatically activated. Vault runs the User Account Activation job daily to activate any users who are scheduled to be activated on that date.
- Send Welcome Email on Activation Date
- If this checkbox is selected, Vault will automatically send a welcome email on the user’s activation date. If you clear this checkbox, the user will not receive a welcome email. If a user has never logged into Vault and their account has been deactivated and reactivated again at a later point, the user will automatically receive a welcome email upon reactivation.
Note: The User Account Activation job will not activate a user in the following scenarios:
- If the job runs before the user’s Activation Date and the user is in the Pending or Inactive state.
- If the job runs on or after the user’s Inactivation Date.
- If the user’s Activation Date and Inactivation Date are the same date.
Optional Settings
You can configure these settings as needed when you create a new user or edit an existing one:
- Image
- Click the Pencil icon to assign a user profile image. Profile images display throughout the application and are visible to other users. Image files must be in JPG, PNG, BMP, or GIF format and less than 10MB.
- Preferred Tab Collection
- You can configure Vault to open in any custom tab collection when a user logs into Vault.
- Layout Profile
- Assign a layout profile to the user. You can select only active layout profiles. Once assigned, the user will have access to any layouts on the profile when viewing object records. If no layout profile is assigned, they will see the default layout.
- Federated ID
- Enter a Federated ID to associate the user with an external user ID for Single Sign-on or other system integration purposes.
- Security Policy
- Select a Security Policy. This controls password requirements for the user.
- Salesforce Username
- Enter a Salesforce Username to associate the user with a salesforce.com or Veeva CRM user account for delegated authentication. This option will only be available if the selected security policy allows login via salesforce.com. If you leave Salesforce Username blank, Vault will assume that the Vault user name and Salesforce user name are the same.
- Email Preferences
- Select checkboxes to opt users in or out of specific Vault notification emails, including System Maintenance Availability, Product Announcements, favorite document notifications, and more.
Note: If Annotation Replies, Send as Link, Shared Views, Tasks, User Mentions, or Favorite Documents contains a null/blank value, Vault defaults to the Email Preferences setting selected by an Admin on the notification template. In addition, if the Summary Email Interval field contains a blank/null value, Vault uses the Delivery Interval value for your summary email notifications.
How to Edit User Accounts
From the User record, you can update the user’s profile information, such as the title and company. When editing a user’s profile information, Vault syncs any updated information with the Domain User account fields. If you edit a Person record related to a User record, Vault automatically updates both the User record and the Domain User.
Note: When updating fields for Cross-Domain users, Vault syncs changes across domains and updates all Vaults to which the user has membership.
To edit a User record:
- From the Vault Users page or a list of User records, open a User record details page.
- Click Edit and modify any information as needed.
- Click Save when finished. On save, Vault synchronizes and populates any modified shared fields for the domain user.
Editing a Profile Image
You can edit the profile image from the User record details page:
- From the User record, click Edit.
- Click the Edit icon above the current image.
- In the User Profile dialog, select Upload an image.
- Click Choose and select a picture from your computer. You can also choose to remove the profile picture by selecting Use default image.
- Click OK.
Editing a User Name
You can update the profile user name in the User Name field. User Name is a multi-part field, meaning you can edit the user name but not the domain to which the user belongs. For example, for the username “johndoe@domain.com”, you can edit the prefix of “johndoe”, but you cannot edit the “@domain.com”.
How to Set the User Landing Tab
You can configure the first tab a user sees after logging into Vault. To change a user’s default landing tab:
- Navigate to Admin > Users & Groups > Vault Users.
- Ensure the Landing Tab column shows in the user list. If necessary, add the column to the grid.
- From the user list, double-click into the Landing Tab field for the appropriate user to edit the field in-line.
- Select a tab by choosing one from the list, typing the tab name, or clicking the binoculars icon for advanced search and filter options. Depending on reference constraints configured on the Landing Tab field, you may be able to select a sub-tab as the user’s landing tab. You cannot select an Admin tab or an individual dashboard tab as the landing tab.
If both a landing tab and a preferred tab collection are configured for a user, and the landing tab is not part of the user’s preferred tab collection, Vault displays the landing tab and populates the primary navigation bar with the preferred tab collection.
How to Create a Cross-Domain User
To create a cross-domain user:
- Navigate to Admin > Users & Groups > Vault Users.
- Click the Actions menu and select Create Cross Domain User.
- In the dialog, enter the User Name and select a Security Profile and License Type.
- Click Save. Vault creates a cross domain user.
How to Edit Vault Membership
Deactivating users prevents them from accessing Vault but does not remove the user account from the system. You cannot delete User records, but you can make a user inactive. To make a user inactive, select Make User Inactive from the record’s Actions menu. See details about the Vault Membership Lifecycle.
How to Reset User Passwords
To reset a single user’s password:
- From the Vault Users page or another list of User records, open a single User record details page.
- Select Reset Password from the Actions menu. This option is available for all Active users.
- Vault sets a temporary password and sends an email notification to the user.
To reset all user passwords:
- Navigate to Admin > Settings > Security Policies.
- Click Reset All Passwords.
- Click Continue in the confirmation dialog.
Note: Users can reset their own passwords from their user profiles.
How to Resend Welcome Emails
To resend a welcome email:
- From the Vault Users page or another list of User records, click to open a single User record details page.
- Select Resend Welcome Email from the Actions menu. This option is available for all Active users.
- Vault resends the welcome email with login instructions to the user.
How to Force Update Security Questions
To force a user to update their security question, select Force Update to Security Question from the Actions menu on a User record. This option is available for all Active users. The next time the user logs in, Vault prompts her to update her security question.
You only see this option if your password security policy requires a security question on password reset.
How to Edit Users’ Group Membership
From the User record, scroll to the Groups section to see the groups to which the user belongs. You can search and filter within the section to find a specific group.
To update the user’s group membership, click Edit Membership. In the dialog, select checkboxes to add the user to groups or clear checkboxes to remove the user. Click Close to save your changes.
How to Delegate Users’ Account Access
You can use the Delegated Access feature to grant a user access to another user’s account. For example, if Thomas leaves work without first delegating his account access, you could delegate Thomas’ account access to another user, Gladys.
To delegate a user’s account access to another user:
- Open the User record. For example, open Thomas’ profile to give Gladys access to his account.
- Navigate to the Delegate Access section.
- Click Create User to delegate a user.
- In the Delegates field, select the user(s) to whom you want to grant access. See details about delegate requirements below.
- Select a Start Date.
- In the End Date field, select an end date or select Never. If you select an end date, Vault automatically revokes access on that date. With either option, you can return to the User record and manually revoke access.
- Click Grant Access. If the Grant Access button is inactive, a warning appears under the Delegates field to inform you that one or more selected users no longer have delegate permissions. This may occur rarely when delegate selection optimization is in progress.
Delegate Requirements
- Each user account can be delegated to up to 25 users.
- A single user cannot have delegated access in more than 25 user accounts on a single Vault at a time.
- Users without the Allow as a Delegate permission cannot be selected as delegates.
Revoking Access
To revoke access, return to the User record and navigate to the Delegate Access section. Select Revoke Access from the delegate’s Actions menu. You can also click Edit from the delegate’s Actions menu to modify the delegate user, start date, or end date.
Managing Delegates
Admins can view, edit, and create new delegates from Admin > Users & Groups > Active Delegations. Click the delegate’s Actions menu to Edit or Revoke Access to a specific delegation, and click the blue create user button to add a new delegate to this Vault. Clicking a user’s name will bring you to their User record details page.
A banner displays on the Active Delegations page when delegate selection optimization is in progress. This occurs automatically when the Allow as a Delegate permission is assigned to or removed from users, and it optimizes the selection of delegates when creating new delegations.
Because delegation is Vault-specific, only delegations in the current Vault are accessible.
Enabling Delegated Access
To enable delegation, navigate to Admin > Settings > General Settings and select the Enable Vault Level Delegate Access checkbox. Turning on this setting automatically turns on the Allow non-Admin users to delegate access to their own accounts setting, which allows users the ability to delegate their account through their user profile. If an organization needs to prevent users from delegating their own accounts, an Admin can turn off the setting.
Selecting Enable Vault Level Delegate Access also enables the Enforce strict delegation controls for Delegate Admin Users setting. When enabled, Delegate Admins cannot create a delegation for a user with more permissions than themselves. For example, say John and Jane have the same Security Profile, but Jane is also assigned a user role that grants her permissions that John cannot access. If this setting is enabled and John attempts to create a delegation that allows Amy to act on behalf of Jane, Vault blocks the delegation. This error also occurs if John attempts to edit or revoke an existing delegation where a user has more permissions than his own. This setting does not apply when adding delegates from the user profile page.
Because these settings are Vault-specific, Admins must turn them on or off for each Vault.
Note: Vault continues to prevent non-Domain Admin users from delegating Domain Admin accounts if the Enforce strict delegation controls for Delegate Admin Users setting is disabled. This security check occurs whether the setting is enabled or not.
Log In As a User
If Enable Vault Level Delegate Access and Enforce strict delegation controls for Delegate Admin Users are enabled, Delegate Admins can log into a user’s account directly from a User record detail page or list view. This function allows Delegate Admins to bypass the need to create a delegate user and grant themselves access when they need to delegate a user account to themselves.
To log in to a delegate user account:
- Navigate to a User record detail page or list view.
- Select Actions > Log in as.
- Optional: Change the Delegation end date in the Log in As dialog. If you are initiating a new delegation, the end date is defaulted to seven days after the current date and an Active Delegation record is created. If an Active Delegation record exists for the selected user and Delegate Admin, Vault uses the start and end date on that record. If no end date exists on the Active Delegation record, the Delegation end date defaults to 365 days from the current date. The Delegation end date for active and new delegations cannot exceed 365 days from the current date.
- Click Log In As.
The selected user account is now delegated to you and a delegate session is initiated. An Active Delegation record is created if one does not already exist for the user account. If Delegate access allowed only among group members is enabled, ensure to appropriately add Delegate Admins to the group. Otherwise, Delegate Admins may not consistently see the Log in as action on User records.
Note: The Log in as action is not available on inactive, pending, or system-managed User records. You cannot log in to a user account with more permissions than your own. In addition, you cannot perform this action while already in a delegate session.
Document Inbox Sharing
From the User record, you can manage document inbox sharing. To add a user or group as an Inbox Editor:
- From the Document Inbox Sharing section of the User object details page, click Create.
- Add one or more users or groups in the Users and Groups box.
- Select a value for the Locked field. Selecting Yes for this field prevents the user from removing these document inbox sharing settings from their Document Inbox page.
- Click Save.
If the Share Inbox Document object is visible in Business Admin > Objects, you can also navigate there to perform bulk actions, search, or use Vault Loader to create records.
Viewing Security Overrides
From the User record, you can view the Security Overrides section. This section displays any field-level security overrides applied to the user or groups to which the user belongs.
How to Grant Access to Veeva Support
On the User record details page, you can grant Vault Support access to a specific user’s account from the Veeva Support section. See Granting Access to Veeva Support for details.
Working in the User Grid
On the Vault Users page, the Actions menu offers options for working with users and editing how data appears:
- Bulk Actions
- Allows you to perform bulk actions on all users or the users on the current page.
- Export
- Export the user list to CSV or Excel. See details below.
- Edit Columns
- Allows you to make the most frequently referenced fields on user accounts visible without opening the user detail page and also controls which fields are included when you export the user list.
- Truncate Cell Text/Wrap Cell Text
- Lets you toggle between truncating (showing only the first part of the value) and wrapping (showing any characters that don’t fit on a second line) text that is too big to fit in its column.
- Inline Editing
- Allows you to update field values from the Vault Users page or another list of User records.
These options are available from wherever you view a list of User records. When you use these options to customize how your data displays, the changes do not affect other users. Vault remembers your last selections and reapplies them when you return to the page.
How to Export the User List
From the Users page, open the Actions menu and select Export to CSV or Export to Text. This action exports the user list that you are currently viewing, ignoring pagination. For example, if you are viewing only active users in the current Vault, the export will not include inactive users or users from another Vault. However, the export will include all “pages” of users, even if your current view limits you to 25 per page. The exported file only includes the visible columns, so you may want to edit columns before exporting.
CSV is only available if your Vault does not use localization settings, and Text is only available if it does.
Note: Vault will not include the following characters in the file name of an export: < > : "" / , | ? *.
Filtering by Vault Membership Lifecycle State
On the Vault Users page, you can use the drop-down next to the search box to filter the list of users in your Vault. You can select Active Users, Inactive Users, Pending Users, or All Users. Vault always defaults to show active users.
User Search
When you search for users on the Vault Users page, Vault executes a “begins with” search on all searchable fields. A search for “thom,” Vault would find “Thomas Chung” and “Ella Thomason,” but a search for “hom” would not find either of these users. Vault doesn’t return results when you search on only the letters “V” or “M”.
When you search for users on the Vault Users page and export the list of users, the export only includes users where the search term matches a value in the Name column. If the search returns results that match on other columns, those results doesn’t appear in the export.”
Assigning Security Profiles & User Roles
When you assign security profiles or user roles to users, or update domain level attributes, such as the First Name, Last Name, or Email directly on the User object, Vault checks to see if you have all of the permissions included in the security profile or role you’re assigning. These validations are performed in cases where updates are made directly to the User object in addition to indirect updates made to the Person object that maps to a protected field on the User object.
Vault does not allow you to assign a profile or role that includes permissions which you do not have. When assigning administrator profiles or roles, it can be helpful to have users separated by the duties they are expected to perform. For example, by assigning a System Administrator security profile to a user that creates, edits, or otherwise manages permission sets, while assigning another security profile, User Administrator, to users that assign security profiles or role permissions, without needing to interact directly with permission sets.
How to Configure the User Object Layout
The object record layouts for the User object is the same when you access users from Admin > Users & Groups > Vault Users, from Business Admin > Objects > Users, or from a custom User object tab. The order of fields and sections may be different from the legacy User page. While Groups, Delegate Access, and Veeva Support sections may be available on the User object layout, only Admins with the appropriate permissions can see these sections.
In order for Admins to be able to create and edit users with the User object, you need to update the User object layout to include the following fields:
- First Name (first_name__sys)
- Last Name (last_name__sys)
- Email (email__sys)
- User Name (username__sys)
- Language (language__sys)
- Locale (locale__sys)
- Timezone (timezone__sys)
- Security Profile (security_profile__sys)
- License Type (license_type__sys)
- Domain Admin (domain_admin__sys)
- Security Policy (security_policy__sys)
- Federated ID (federated_id__sys)
- Landing Tab (landing_tab__sys)
- Activation Date (activation_date__sys); this field is required in order to create pending users
- Any application license fields, for example, Quality: QMS (license_qualityqms__sys)
After adding these fields, you should also configure field-level security to either hide them or make them read-only for end users. You should keep all required fields visible when making updates to the User object page layout.
Mobile App Registrations
Mobile App Registrations allow Vault to send push notifications to a device with a Vault mobile application. By default, the Mobile App Registrations section is displayed on the User object page layout. This section allows Admins to manage registrations from the User object record page. To hide it, remove the Mobile App Registrations section from the User object page layout.
Configuring the Landing Tab Field
By default, the Landing Tab field includes a reference constraint that prevents Admins from selecting sub-tabs when assigning a landing tab. You can edit or remove the existing constraint to meet your organization’s business needs. For example, removing the constraint allows Admins to select sub-tabs as default landing tabs.
Configuring Document Inbox Sharing Related Object Section
By default, the Document Inbox Sharing related object section appears on the User object page layout, but an Admin can remove it if necessary.
Related Permissions
The following permissions control your ability to create and manage users with the User object:
Security Profile
- Admin: Users: Manage User Object
- Ability to create and modify User object records. This permission also controls Vault’s ability to synchronize updates to User records with domain user fields. It also controls whether Vault displays the Mobile App Registrations section, if enabled.
- Admin: Users: Read
- Ability to see the Security Overrides section on the User object page layout.
- Admin: Users: Assign Group
- Ability to see the Groups section on the User object page layout and assign a user to groups from the User record.
- Admin: User: Grant Login Support
- Ability to give Vault Support user account access for a specific user from Users & Groups > Vault Users.
- Admin: Users: Delegate Admin
- Ability to see the Delegate Access section on the User object page layout and give delegate access to another user’s account from the User record. On multi-Vault domains, you must have this permission in each Vault to which the user has access.
- Admin: Users: Add Cross-Domain Users
- Ability to add cross-domain users from Users & Groups > Vault Users.
- Admin: Object: Media: Read
- Ability for users to view the profile image on User and Person object records.
Object
- Objects: User Role: Read, Create, Edit, and Delete
- Ability to add, edit, or remove User Roles on a User object record.
- Objects: Share Inbox Documents: Read, Create, Edit, and Delete
- Ability to add, edit, or remove Share Inbox Documents records on a User object record.