Custom Sharing Rules is part of Dynamic Access Control for object records. When using Custom Sharing Rules (rather than Matching Sharing Rules) for an object, Vault manages users’ roles on specific object records by matching rule criteria to specific user assignments. For example, on Marketing Campaign records where the Agency is DKI Direct, Gladys is an Editor and Thomas is an Owner.
You can enable Custom Sharing Rules for specific objects to provide a more granular level of security for one object without affecting others.
Note: When implementing any custom security or access control, Admins should perform UAT (User Acceptance Testing) before making changes on a production site. Some changes can affect application-specific functionality in ways that make Vault difficult to use.
Before starting any Custom Sharing Rules implementation, we recommend that you consult Veeva Services. You should have a plan in place for the sharing rules you will create.
We recommend enabling Configuration Mode while completing the following tasks. Once you enable Custom Sharing Rules for an object, all users will lose access to the object records until you’ve fully configured the rules.
- Create user groups that you plan to use in your sharing rules from Admin > Users & Groups > Groups.
- From Admin > Configuration > Objects > [Object] > Details, enable Custom Sharing Rules. You can return to the object configuration page at any time and disable Custom Sharing Rules. If you are not also using Matching Sharing Rules, the previous functionality returns immediately: security profiles provide object-level control over editing object records and all users can view or select all records.
- Optional: Select the Use Action Security to control Sharing Settings checkbox. This allows you to configure action security on sharing settings to control user access to sharing settings for each record, role, and lifecycle state.
- From Admin > Configuration > Objects > [Object], navigate to the Sharing Rules section. Set up custom sharing rules to dictate how assigns users and groups to specific object records.
When creating a sharing rule, you’ll first define a query against the records for an object, and then select users and groups to assign to a specific role on all records that match your query.
How to Create Sharing Rules
To create a sharing rule:
- Navigate to the object configuration details: Admin > Configuration > Objects, and then click on the specific object.
- Click into the Sharing Rules tab.
- Enter a descriptive Label for the rule. The label will be visible in the object records’ Sharing Settings.
- Enter a Name for the rule. This will be visible through the API.
- Optional: Enter a Description. The description only appears in the sharing rule’s details page.
- Under Rule Criteria, define the query parameters by selecting an object field, operator, and value. Create additional rows by clicking Add condition. Remove rows by clicking the minus (-) icon.
- Click Save.
- In the Roles panel, click + Add to select users/groups and the roles they should receive. In the dialog, select a Role and one or more Users and Groups, then click Save. Repeat this step to add all the needed assignments.
- If you make a mistake assigning access or need to remove a user/group later, use the actions menu on the individual assignment and select Remove.
When you initially create a rule or modify the query for an existing rule, Vault must reindex records to apply the new settings. This may take several minutes. A yellow bar appears at the top of the screen to indicate progress.
How to Modify Sharing Rules
To modify a sharing rule, return to the Sharing Rules tab on the object configuration and click into a specific rule:
- Click Edit to change the label, name, description, or query.
- In the Roles section, use the Add + button to create new user/group assignments in the rule. Use the actions menu on each assignment row to remove a user/group assignment from the rule.
- Click Delete to permanently remove the rule.
Under Rule Criteria, you define a query against the object’s records. For example, all Product records where the Therapeutic Area equals Veterinary. Rule Criteria accepts a VQL query. This is only appropriate for technical users but allows you to define a complex query. Learn more about VQL for sharing rules on the developer portal.
Sharing rule criteria can use fields from the object that is being queried, including fields that reference another object. They cannot use fields that belong to referenced objects, aside from the label field. For example, a query on Site could use Site Status and Study Number, but could not use Study Type because that field belongs to a different object.
All field types except DateTime and Formula are available.
When you configure custom sharing rules or matching sharing rules for an object, the page layout includes a Sharing Settings section. Here, you can control the roles that each user has for specific object records.
To enable and set up Custom Sharing Rules, your security profile must grant the Admin > Objects > Edit permission.