Groups are key to managing user access in Vault. A group is simply a named list of users, but by defining groups that reflect the teams and roles in your company, and assigning those groups to document roles, you can manage document access more easily and efficiently.
In Vaults using Dynamic Access Control, Vault also automatically creates groups that correspond to one lifecycle role and additional document field criteria. These are called Auto Managed Groups.
Accessing Group Administration
View and manage groups from Admin > Users & Groups > Groups. You must have a security profile that grants Groups permissions to work with user groups.
Each Vault has a number of groups designated as “system provided.” Vault includes these groups in your initial configuration and updates group membership automatically based on standard security profiles. When you create new users or modify their security profile, the system-managed groups will reflect those changes. You cannot delete these groups.
In addition to groups for each standard security profile, Vault manages the All Internal Users group. By default, All Internal Users includes users with the security profiles Document User, Business Admin, System Admin, and Vault Owner. Note that unless an Admin modifies the included security profiles for system provided groups, users with a custom profile, rather than a standard profile, are not included in any system provided group. Only users with the standard Vault Owner security profile can edit these groups in order to change the included security profiles. Other details are not editable.
When Manager Groups is enabled in your Vault, Vault creates system-managed groups that include each user’s direct manager. This functionality uses the Manager field on User object records.
For example, Gladys is a manager. Her direct reports are Carla and Cody. Gladys also has a manager, Theresa.
Manager Groups functionality automatically creates the following groups:
- Carla – Manager:
- Gladys (direct manager)
- Cody – Manager:
- Gladys (direct manager)
- Gladys – Manager:
- Theresa (direct manager)
- Theresa – Manager:
- No group members because Theresa’s User record has no selection for Manager
Enabling Manager Groups
You can start using this functionality by selecting the Enable Manager Groups option from Admin > Security Settings > Manager Groups. Once this is enabled, Vault automatically creates manager groups for every User record that includes a Manager field. This happens for User records that already exist in the Vault as well as User records created after enablement. Modifying the Manager field on a User record results in Vault adjusting the affected manager groups.
If you disable the manager groups setting, Vault inactivates all manager groups and removes all members from them.
Using Manager Groups
A user’s manager group appears directly below the user when selecting them in applicable functions, such as:
- During manual assignment
- When adding users or groups to a role
- When sharing views
- When sharing document links
If the Include Manager Groups when selecting workflow participants option is enabled, you also see manager groups when assigning workflow participants.
Note: Manager groups do not appear in group selection picklists or when selecting members in custom sharing rules.
Auto Managed groups are a feature of Dynamic Access Control. Once you begin creating User Role Setup records, you’ll see Auto Managed groups appear.
These groups correspond to User Role Setup records, which include a user reference, a single lifecycle role reference, and one or more document/object field references. User Role Setup records with the same values (excluding the user reference) are placed into the same group. This table shows three example User Role Setup records and their corresponding groups.
|User||Role||Product||Country||Auto Managed Group|
|Thomas Chung||Editor||CholeCap||United States||CholeCap-United States-Editor|
|Gladys Dunford||Editor||CholeCap||United States||CholeCap-United States-Editor|
Vault creates and populates these groups automatically. When User Role Setup records change, Vault checks to see if a new group is needed and reassigns users immediately.
Editing Auto Managed Groups
When editing these groups, you can only turn the Allow selection in configurations setting on and off. No other options are editable. Vault automatically assigns group names based on the field order specified in Admin > Settings > Security Settings.
You can select these groups for runtime tasks, for example, as a recipient for Send as Link or as a task assignee in a workflow start dialog.
The Allow selection in configurations setting controls whether you can use these groups during design and configuration, for example, in configuring field-level security.
If a group becomes invalid because it references a picklist value or object record that is no longer active, you cannot select that group in configurations.
The following configuration options never allow you to select Auto Managed groups because they are part of the pre-DAC access control model:
- Allowed users/default users in document lifecycle role configuration
- Viewer, Editor, and Consumer defaults in the document type configuration
User Provided Groups
Many organizations will need custom groups to manage their business processes. In Vault, a custom group can be manually assigned or dynamically assigned. Manual assignment means that an Admin has to assign individual users to a group.
Automatic assignment uses the Included Security Profiles setting to specify one or more security profiles that correspond to the group. Vault automatically populates these groups with users who have the correct security profiles. For example, the VPharm Internal group may contain users who have the standard Document User and System Admin profiles, as well as the custom VPharm Business Admin profile.
If a user’s security profile changes or the group’s included profiles change, Vault reflects those changes immediately.
How to Create Custom Groups
To create a new, user provided group:
- From the Groups page, click Create.
- Enter the Group Name and (optional) Description.
- Optional: Select one or more profiles in Included Security Profiles. Vault automatically includes any user with the selected security profile in the group.
- Optional: Enable the Delegate access allowed only among group members option as described in the following section.
- Click Save.
- Open the Members tab and click Edit Members.
- Search for users and click the + icon to add them to the group or the – icon to remove them. To search within an existing group, select a group from the picklist.
- When finished, click Close.
Before you can restrict delegate access for individual groups, you must enable this functionality by selecting the Delegate access allowed only among group members checkbox on the Admin > General Settings page.
Next, you can enable the Delegate access allowed only among group members option when configuring a custom group to restrict the pool of delegate candidates a user can select in your Vault. When you enable this option, members of this group will only be able to grant delegate access to other group members.
Vault filters the delegate candidate pool as follows:
- Users must be active
- Users must have the Allow as a Delegate permission
- Users must have at least one common active group membership. For example, if user A belongs to the “US Medical” user group, while user B belongs to the “Canada Medical” group, neither user A nor B would be allowed to delegate access to each other. User C, however, is a member of both the “US Medical” and “Canada Medical” groups, so user A and B would be allowed to delegate access to user C.
See About Permission Sets for information on default access permissions for delegating access.
How to Change Members in a Custom Group
This option is only available for User Provided groups. To change the users that are members of a group:
- From the Groups page, click on the group to modify.
- Open the Members tab.
- Click Add Users to Group.
- In the dialog, search to find users to add or remove. Click the + icon to add a user to the group or the – icon to remove a user who is already in the group. You cannot remove users that Vault automatically includes based on their security profile.
- When finished, click Close.
Admins with the correct permissions can also add an individual user to groups from the Users page.
How to Delete Groups
Deleting a group removes it from your Vault and cannot be undone. If the group has any roles on documents or is involved in an active workflow, you cannot delete it. If you are not ready to permanently delete a group, but want to prevent users from selecting it, you can disable the group. This option is only available for User Provided groups.
To delete a group:
- From the Groups page, click on the group to delete.
- On the Details tab, click Delete.
- Click Continue in the dialog to confirm.
How to Disable Groups
Disabling prevents users from selecting a group, but does not affect active workflows or sharing settings for documents where that group already has a role. This option is only available for User Provided groups. To disable a group:
- From the Groups page, click on the group to disable.
- In the Details tab, click Edit.
- Change the Status value.
- Click Save.
Reporting on Groups
Generating reports on groups lets you easily analyze the relationships between users and groups. This is helpful when aggregating data to see which users belong to what groups for auditing purposes, annual reviews, reconciliations, and many other critical business processes.
How To Configure Reporting on Groups
You configure reports on groups much like any other report type, however, reporting on groups requires the use of the Membership object. To configure reporting on groups, select User or Group as the primary reporting object. Next, add Membership as a down object. Vault automatically adds User or Group as an up object depending on what you selected as your primary reporting object. For details on configuring report types, see Configuring Report Types.
Report viewers must have the Read Group Membership permission in order to see reports of this type.