Organizations that have various business partners working in a single Vault may want to restrict how Vault displays user information of other users based on their affiliated organization. With user security, you can configure Dynamic Access Control (DAC) on the User object, and choose to hide or reveal identifying details such as first and last name, user name, and email that other users can view. Although user security shares some common capabilities with Hide User Information, they are mutually exclusive and cannot be used together.
User security primarily leverages standard DAC behaviors such as the ability to control record visibility but also allows you to mask references to users in objects, documents, and notifications.
For example, Sunstar Labs works with partner organizations Enviro-Chk and Medi-Review. Enviro-Chk verifies that Sunstar Labs’ manufacturing tools are environmentally safe, while Medi-Review is responsible for medical and legal review of promotional materials. While it’s necessary for Enviro-Chk to see user information from Sunstar Labs, it isn’t essential to see information on Medi-Review users. To prevent Enviro-Chk users from seeing Medi-Review user information, a Sunstar Labs admin configures user security on Enviro-Chk users and disables the Read permission for all Medi-Review user records. When Mary of Enviro-Chk logs in and views a document that Cody of Medi-Review created, The Created By field displays “Vault User”, instead of Cody’s name and information.
Masking User Information
When compared to Hide User Information, which is enforced only in Vault’s UI, configuring DAC on the user object offers a more robust way to secure users in Vault. The following list includes expected behaviors for masking user information based on the DAC setup:
- User picklists in objects, documents, and workflows only display user records the user has access to.
- User reference fields such as Created By, Modified By, or any other user object reference fields display a masked user name (Vault User) for referenced user records that configured users don’t have access to.
- Vault masks the user name and displays “Vault User” when hovering over groups.
Configuring User Security
To best support user security, we recommend the following when enabling DAC:
- When enabling DAC, by default, users cannot view other users in Vault. When you enable DAC, we recommend provisioning role setup records.
- Enable Matching Sharing Rules
Vault does not enforce DAC on the following:
- Audit Logs
- Electronic Signatures
- Document notifications (including favorite notifications)
- Object notifications
- Flash Reports
- Configuration UI
- Users & Groups UI
- Delegated User accessing a user’s profile page
Additionally, searching on a non-visible user name returns set documents or objects referencing the user in the results.