A company using Vault can have one or more domains and a domain can contain one or more Vaults. Domains with more than one Vault are often called “multi-Vault domains.” With multiple Vaults in a single domain, you can switch between Vaults without logging out and logging in again, as long you have access to both Vaults. In a typical setup, a customer has one domain that contains all of their production Vaults and one domain that contains sandbox or training Vaults. In each Vault user name, the domain is everything after the @ symbol. For example, the user firstname.lastname@example.org is on the veevapharm.com domain.
See examples of organizations using multi-Vault domains below.
Users at the Domain Level
When you create a user, Veeva actually stores the user at the domain level and grants that user access to the Vault in which you’re currently working. If you then attempt to create a user on a different Vault using the same user name, Vault prompts you to add the already-defined user. Features that support user login (security policies, network access rules, single-sign on settings, etc.) are also defined at the domain level and automatically applied to that user across all Vaults in the domain.
Login Audit History
Although user accounts exist at the domain level, admins can see Vault-level login events through the Login Audit History.
When Admins enable or disable a feature, that setting usually only applies to a single Vault. However, there are several features for which enablement occurs at the domain level. When Admins enable one of these, the feature becomes active on all Vaults within the domain. There are also settings that apply at the domain level, rather than the individual Vault level. To modify any of these, you must have the Domain Admin user setting.
- My Vaults Page: Enabling this feature makes the My Vaults page available for all users in the domain who have access to more than one Vault.
- Single Sign-on (SSO): Enabling this feature makes SSO available for all Vaults in the domain and SSO settings happen at the domain-level. However, the feature only affects users with an SSO security policy, you can configure security policies in such a way that only users on specific Vaults sign in with SSO. Note that the user and the user’s security policy exist at the domain level, so a user with access to multiple Vaults logs in the same way for all Vaults.
- Security Policies: A security policy defines password requirements, delegated authentication and Single Sign-on. Configuration of security policies happens at the domain level, as does assignment of a security policy to a user.
- Network Access Rules: Network access rules limit the IP addresses from which specific users can log in, based on those users’ security policies. Configuration of these rules and assignment to security policies happens at the domain level.
Settings that Veeva applies at the domain-level (to all Vaults in the domain) are editable from Admin > Settings, under the Domain Settings heading. These settings include network access rules and security policies. To modify these settings, you must have the Domain Admin user setting, as well as a security profile that grants the Admin: Domain Administration permission.
From the Domain Information page, you can update Session Duration for the domain, which controls the maximum amount of time users can be idle before Vault UI and Vault REST API automatically logs them out. When using the API, a user is considered idle after their last request finishes executing.
The Session Duration options are 10 minutes, 15 minutes, 20 minutes, 30 minutes, 45 minutes, 1 hour, 2 hours, 4 hours, 8 hours. For example, a Session Duration of 10 minutes means a user will be automatically logged out after 10 minutes of inactivity. When using the Vault REST API, the authenticated user’s session ID would expire 10 minutes after their last request finished executing.
In addition to inactivity, a user’s session can end if there are major security changes such as password changes or account deactivation. The maximum amount of time a session can remain active is 48 hours, even if the user is not idle.
Each domain has at least one user with the user setting Domain Admin. Users with the Domain Admin access setting and the correct permissions can manage domain-level settings and manage users across Vaults. See details about domain-level features and settings.
One of the key advantages of a multi-Vault domain is that a user can access all Vaults after logging in once. Sharing a domain also ensures that user login-based security settings (password length, password history, etc.) are defined just once and consistently applied across all users in the domain. My Vaults provides users with the ability to see assigned tasks and search documents across multiple Vaults on the same domain.
Multi-Vault domains can be useful when:
- Your organization uses multiple applications. Each Vault must use a single application family (Commercial, Clinical Operations, RIM, etc.), so in order to support multiple application families, you must use separate Vaults.
- Your organization needs to support significantly different processes for different regions/countries. By creating Vaults for each country or region, each Vault can have its own configuration to match that area’s processes.
Note that Vaults on the same domain do not need to use the same data center. If you create separate Vaults for each country, each Vault can use the data center closest to the majority of its users. This provides those users with the best possible system performance.