This article explains how to manage user accounts in a Vault from the Admin > Users & Groups > Vault Users page with the User object. Managing users with the flexibility of Vault objects allows you to create reports based on user data, create custom fields, configure field-level security, reference users directly from documents with lookup fields, inline edit from User record list pages, and more. User accounts exist at the domain level, so in multi-Vault domains, user details are shared across Vaults.
Note: Starting in the 20R1 release, you create all users with the User object. You can access the User object record list page from the Admin > Users & Groups > Vault Users page, Admin > Business Admin, or a custom User object tab, if available.
About the User & Person Objects
The User object contains a record for each existing member of your Vault, while the Person object allows you to add individuals who aren’t domain users to your Vault. See About the User & Person Objects for more details about these objects, the Vault Membership lifecycle, and more.
Note: The User object is provisioned with multiple system-owned user records that appear in all Vaults. These accounts are used to capture actions that are performed by Vault instead of by a user. Although these records are visible when viewing and exporting the User record list, the records are not included in license counts, are read-only, and cannot be referenced by another User or document. The System user record is inactive, is not synchronized with Legacy Users, and does not appear in the Users & Groups tab.
Accessing User Management
To access the user administration area, navigate to Admin > Users & Groups > Vault Users. You can also access the User object record list page from Admin > Business Admin or a custom User object tab, if available.
Domain Admins have additional options when managing users.
Vault uses system managed user accounts to execute various actions and processes. These user accounts are read-only and are not included in license counts. System managed users vary by application and may include:
- Application Owner
- Java SDK Service Account
- MyVeeva Integration User
- Clinical Survey Respondent
- Clinical Transfer
System Managed users have the user object field System Owned User set to Yes.
System Managed users do not appear in picklists when selecting users for data entry purposes (documents, object records, configurations) such as selecting users on a user object reference field, or manually assigning a user into a role for a document or object. However, when selecting users for search or filtering purposes, System Managed users are included. For example, System Managed users appear in picklists when filtering audit log entries by user, when using filters or conditional filters on Vault Reports, or when selecting users while searching for documents or object records (such as filtering on the Created by field).
Each Vault user has a unique user name for logging in. In Vault, all user names include the domain name your company uses for its Vaults. The user name format is username@domainname, for example, firstname.lastname@example.org. Although the user name has the same format as an email address, Vault does not send email notifications to the user name. Vault only sends email notifications to the address in the Email field.
To create a new user account:
- From the Vault Users page, click Create.
- Select an existing Domain User. If a domain user doesn’t exist, select Create Domain User from the drop-down and fill in the required fields in the dialog.
- Fill in the basic user information: User Name, Email, License Type, and Security Profile. If your domain includes multiple Vaults, Vault checks to see if the user name exists in another Vault and auto-fills some fields based on the existing user information.
- If your Vault uses multiple applications, choose an Application License Type for each selected application.
- Fill in the user’s contact information such as Company, Title, and more. Asterisks indicate required fields.
- Select a Timezone for the user. Vault stores time and date information in UTC (Coordinated Universal Time), but displays that information to users in their time zones.
- Select a Locale and Language for the user. These options control localization options for the user (number and date formats and label language, respectively).
- Optional: In the Edit Localized Labels field, select a language to allow the user to view and modify localized labels alongside labels in the Vault’s base language. This field is only available when multilingual labels are enabled in your Vault.
- Configure the user account activation, if needed.
- Set any optional fields as needed.
- Click Save. New users are active immediately unless you selected a later activation date. Vault requires them to update their password the first time they log in.
When new supported languages are introduced, they are available in Limited Release Vaults before they are supported in General Release Vaults. If a user has access to both Limited Release and General Release Vaults and you set the Language field to a language that is only available for Limited Release, she will see some errors in the General Release Vault. To fix this, select a language that is supported in both Vaults.
You can configure these settings as needed when you add a new user:
- Activation Date
- If you select a future activation date, the user will stay in the Pending state until the selected date, when the user will be automatically activated. Vault runs the User Account Activation job daily to activate any users who are scheduled to be activated on that date.
- Send Welcome Email on Activation Date
- If this checkbox is selected, Vault will automatically send a welcome email on the user’s activation date. If you clear this checkbox, the user will not receive a welcome email. This option only applies to newly-created users, not existing users added to a domain.
You can configure these settings as needed when you create a new user or edit an existing one:
- Click the Pencil icon to assign a user profile image. Profile images display throughout the application and are visible to other users. Image files must be in JPG, PNG, BMP, or GIF format and less than 10MB.
- Federated ID
- Enter a Federated ID to associate the user with an external user ID for Single Sign-on or other system integration purposes.
- Security Policy
- Select a Security Policy. This controls password requirements for the user.
- Salesforce Username
- Enter a Salesforce Username to associate the user with a salesforce.com or Veeva CRM user account for delegated authentication. This option will only be available if the selected security policy allows login via salesforce.com. If you leave Salesforce Username blank, Vault will assume that the Vault user name and Salesforce user name are the same.
- Email Preferences
- Select checkboxes to opt users in or out of specific Vault notification emails, including System Maintenance Availability, Product Announcements, favorite document notifications, and more.
From the User record, you can update the user’s profile information, such as the title and company. When editing a user’s profile information, Vault syncs any updated information with the Domain User account fields. If you edit a Person record related to a User record, Vault automatically updates both the User record and the Domain User.
Note: When updating fields for Cross-Domain users, Vault syncs changes across domains and updates all Vaults to which the user has membership.
To edit a User record:
- From the Vault Users page or a list of User records, open a User record details page.
- Click Edit and modify any information as needed.
- Click Save when finished. On save, Vault synchronizes and populates any modified shared fields for the domain user.
Editing a Profile Image
You can edit the profile image from the User record details page:
- From the User record, click Edit.
- Click the Edit icon above the current image.
- In the User Profile dialog, select Upload an image.
- Click Choose and select a picture from your computer. You can also choose to remove the profile picture by selecting Use default image.
- Click OK.
Editing a User Name
You can update the profile user name in the User Name field. User Name is a multi-part field, meaning you can edit the user name but not the domain to which the user belongs. For example, for the username “email@example.com”, you can edit the prefix of “johndoe”, but you cannot edit the “@domain.com”.
You can configure the first tab a user sees after logging into Vault. To change a user’s default landing tab:
- Navigate to Business Admin > User & Groups > Vault Users.
- Ensure the Landing Tab column shows in the user list. If necessary, add the column to the grid.
- From the user list, double-click into the Landing Tab field for the appropriate user to edit the field in-line.
- Select a tab by choosing one from the list, typing the tab name, or clicking the binoculars icon for advanced search and filter options. Depending on reference constraints configured on the Landing Tab field, you may be able to select a sub-tab as the user’s landing tab. You cannot select an Admin tab.
How to Create a Cross-Domain User
To create a cross-domain user:
- Navigate to Admin > Users & Groups > Vault Users.
- Click the Actions menu and select Create Cross Domain User.
- In the dialog, enter the User Name and select a Security Profile and License Type.
- Click Save. Vault creates a cross domain user.
Deactivating users prevents them from accessing Vault but does not remove the user account from the system. You cannot delete User records, but you can make a user inactive. To make a user inactive, select Make User Inactive from the record’s Actions menu. See details about the Vault Membership Lifecycle.
To reset a single user’s password:
- From the Vault Users page or another list of User records, open a single User record details page.
- Select Reset Password from the Actions menu. This option is available for all Active users.
- Vault sets a temporary password and sends an email notification to the user.
To reset all user passwords:
- Navigate to Admin > Settings > Security Policies.
- Click Reset All Passwords.
- Click Continue in the confirmation dialog.
Note: Users can reset their own passwords from their user profiles.
How to Resend Welcome Emails
To resend a welcome email:
- From the Vault Users page or another list of User records, click to open a single User record details page.
- Select Resend Welcome Email from the Actions menu. This option is available for all Active users.
- Vault resends the welcome email with login instructions to the user.
How to Force Update Security Questions
To force a user to update their security question, select Force Update to Security Question from the Actions menu on a User record. This option is available for all Active users. The next time the user logs in, Vault prompts her to update her security question.
You only see this option if your password security policy requires a security question on password reset.
How to Edit Users’ Group Membership
From the User record, scroll to the Groups section to see the groups to which the user belongs. You can search and filter within the section to find a specific group.
To update the user’s group membership, click Edit Membership. In the dialog, select checkboxes to add the user to groups or clear checkboxes to remove the user. Click Close to save your changes.
You can use the Delegated Access feature to grant a user access to another user’s account. For example, if Thomas leaves work without first delegating his account access, you could delegate Thomas’ account access to another user, Gladys.
To delegate a user’s account access to another user:
- Open the User record. For example, open Thomas’ profile to give Gladys access to his account.
- Navigate to the Delegate Access section.
- Click the Create button to delegate a user.
- In the Delegates field, select the user(s) to whom you want to grant access. See details about delegate requirements below.
- Select a Start Date.
- In the End Date field, select an end date or select Never. If you select an end date, Vault automatically revokes access on that date. With either option, you can return to the User record and manually revoke access.
- Click Grant Access.
- Each user account can be delegated to up to 25 users.
- A single user cannot have delegated access in more than 25 user accounts on a single Vault at a time.
- Users without the Allow as a Delegate permission cannot be selected as delegates.
How to Revoke Access
To revoke access, return to the User record and navigate to the Delegate Access section. Select Revoke Access from the delegate’s Actions menu. You can also click Edit from the delegate’s Actions menu to modify the delegate user, start date, or end date.
Admins can view, edit, and create new delegates from Admin > Users & Groups > Active Delegations. Click the Actions menu to Edit or Revoke Access to a specific delegation, and use the blue create user button to add a new delegate to this Vault. Clicking a user’s name will bring you to their User record details page.
Remember that because delegation is Vault-specific, only delegations in the current Vault are accessible.
Enabling Delegated Access
To enable delegation, navigate to Admin > Settings > General Settings and select the Enable Vault Level Delegate Access checkbox. Turning on this setting automatically turns on Allow non-Admin users to delegate access to their own accounts, which allows users the ability to delegate their account through their user profile. If an organization needs to prevent users from delegating their own accounts, an Admin can turn off the setting. Remember that these settings are Vault-specific, so Admins must turn them on or off for each Vault.
Document Inbox Sharing
From the User record, you can manage document inbox sharing. To add a user or group as an Inbox Editor:
- From the Document Inbox Sharing section of the User object details page, click Create.
- Add one or more users or groups in the Users and Groups box.
- Select a value for the Locked field. Selecting Yes for this field prevents the user from removing these document inbox sharing settings from their Document Inbox page.
- Click Save.
If the Share Inbox Document object is visible in Admin > Business Admin, you can also navigate there to perform bulk actions, search, or use Vault Loader to create records.
Viewing Security Overrides
From the User record, you can view the Security Overrides section. This section displays any field-level security overrides applied to the user or groups to which the user belongs.
How to Grant Access to Veeva Support
On the User record details page, you can grant Vault Support access to a specific user’s account from the Veeva Support section. See Granting Access to Veeva Support for details.
Working in the User Grid
On the Vault Users page, the Actions menu offers options for working with users and editing how data appears:
- Bulk Actions
- Allows you to perform bulk actions on all users or the users on the current page.
- Exporrt the user list to CSV or Excel. See details below.
- Edit Columns
- Allows you to make the most frequently referenced fields on user accounts visible without opening the user detail page and also controls which fields are included when you export the user list.
- Truncate Cell Text/Wrap Cell Text
- Lets you toggle between truncating (showing only the first part of the value) and wrapping (showing any characters that don’t fit on a second line) text that is too big to fit in its column.
- Inline Editing
- Allows you to update field values from the Vault Users page or another list of User records.
These options are available from wherever you view a list of User records. When you use these options to customize how your data displays, the changes do not affect other users. Vault remembers your last selections and reapplies them when you return to the page.
From the Users page, open the Actions menu and select Export to CSV or Export to Text. This action exports the user list that you are currently viewing, ignoring pagination. For example, if you are viewing only active users in the current Vault, the export will not include inactive users or users from another Vault. However, the export will include all “pages” of users, even if your current view limits you to 25 per page. The exported file only includes the visible columns, so you may want to edit columns before exporting.
CSV is only available if your Vault does not use localization settings, and Text is only available if it does.
Note: Vault will not include the following characters in the file name of an export:
< > : “” / , | ? *.
Filtering by Vault Membership Lifecycle State
On the Vault Users page, you can use the drop-down next to the search box to filter the list of users in your Vault. You can select Active Users, Inactive Users, Pending Users, or All Users. Vault always defaults to show active users.
When you search for users on the Vault Users page, Vault executes a “begins with” search on all searchable fields. A search for “thom,” Vault would find “Thomas Chung” and “Ella Thomason,” but a search for “hom” would not find either of these users. Vault doesn’t return results when you search on only the letters “V” or “M”.
When you search for users on the Vault Users page and export the list of users, the export only includes users where the search term matches a value in the Name column. If the search returns results that match on other columns, those results doesn’t appear in the export.”
Assigned Study Sites
In Clinical Operations Vaults, the Assigned Study Sites section appears on the User record details page for any user with the Portal User license type. This section allows you to grant a portal user access to a specific study site.
Assigning Security Profiles & User Roles
When you assign security profiles or user roles to users, Vault checks to see if you have all of the permissions included in the security profile or role you’re assigning. Vault does not allow you to assign a profile or role that includes permissions which you do not have. When assigning administrator profiles or roles, it can be helpful to have users separated by the duties they are expected to perform. For example, by assigning a System Administrator security profile to a user that creates, edits, or otherwise manages permission sets, while assigning another security profile, User Administrator, to users that assign security profiles or role permissions, without needing to interact directly with permission sets.
Starting in the 20R1 release, the object page layout for the User object is the same when you access users from Admin > Users & Groups > Vault Users, from Admin > Business Admin, or from a custom User object tab. The order of fields and sections may be different from the legacy User page. While Groups, Delegate Access, and Veeva Support sections may be available on the User object page layout, only Admins with the appropriate permissions can see these.
In order for Admins to be able to create and edit users with the User object, you need to update the User object page layout to include the following fields:
- First Name (
- Last Name (
- Email (
- User Name (
- Language (
- Locale (
- Timezone (
- Security Profile (
- License Type (
- Domain Admin (
- Security Policy (
- Federated ID (
- Landing Tab (
- Activation Date (
activation_date__sys); this field is required in order to create pending users
- Any application license fields, for example, Quality: QMS (
After adding these fields, you should also configure field-level security to either hide them or make them read-only for end users. You should keep all required fields visible when making updates to the User object page layout.
Mobile App Registrations
Mobile App Registrations allow Vault to send push notifications to a device with a Vault mobile application. By default, the Mobile App Registrations section is displayed on the User object page layout. This section allows Admins to manage registrations from the User object record page. To hide it, remove the Mobile App Registrations section from the User object page layout.
Configuring the Landing Tab Field
By default, the Landing Tab field includes a reference constraint that prevents Admins from selecting sub-tabs when assigning a landing tab. You can edit or remove the existing constraint to meet your organization’s business needs. For example, removing the constraint allows Admins to select sub-tabs as default landing tabs.
Configuring Document Inbox Sharing Related Object Section
By default, the Document Inbox Sharing related object section appears on the User object page layout, but an Admin can remove it if necessary.
The following permissions control your ability to create and manage users with the User object:
- Admin: Users: Manage User Object
- Ability to create and modify User object records. This permission also controls Vault’s ability to synchronize updates to User records with domain user fields. It also controls whether Vault displays the Mobile App Registrations section, if enabled.
- Admin: Users: Read
- Ability to see the Security Overrides section on the User object page layout.
- Admin: Users: Assign Group
- Ability to see the Groups section on the User object page layout and assign a user to groups from the User record.
- Admin: User: Grant Login Support
- Ability to give Vault Support user account access for a specific user from Users & Groups > Vault Users.
- Admin: Users: Delegate Admin
- Ability to see the Delegate Access section on the User object page layout and give delegate access to another user’s account from the User record. On multi-Vault domains, you must have this permission in each Vault to which the user has access.
- Admin: Users: Add Cross-Domain Users
- Ability to add cross-domain users from Users & Groups > Vault Users.
- Admin: Object: Media: Read
- Ability for users to view the profile image on User and Person object records.
- Objects: User Role: Read, Create, Edit, and Delete
- Ability to add, edit, or remove User Roles on a User object record.
- Objects: Share Inbox Documents: Read, Create, Edit, and Delete
- Ability to add, edit, or remove Share Inbox Documents records on a User object record.