In Vault, each user has an assigned license type and security profile. Each security profile has one or more permission sets. The license type is the first level of access control that Vault applies to a user. Permission sets, applied through the user’s security profile, are the second level of access control. Both the license type and permission set must grant access to a user in order for that user to access the functionality. Other access control for a user is based on the user’s role permissions on a specific document, document type settings, and dynamic access control settings for individual object records.
Admins must have a permission set that grants the Admin: Users: Edit permission to change a user’s license type or security profile.
Note: For domain-level settings, a user must have the Domain Admin user setting in addition to a security profile that grants the correct permissions.
License Types
Vault includes the following license types:
- Full Users are the most common license type. Their license type does not block access to any functionality; these may be regular users or administrators. This is the only license type that allows a user to access Admin functionality. This license type also grants users access to FTP servers. While system-owned users operate with Full User licenses, they are not included in license counts.
- Read-only Users have extremely limited access. They cannot access reports or dashboards (though they can receive flash report emails), edit documents, binders, or object records, initiate workflows, or access the Admin or Business Admin tab collections. They can sign Read & Understood workflow tasks, but cannot otherwise participate in workflows. With the required permissions, Read-only Users can view documents, including document field values and audit trails. They can view and download source files and renditions. They can also review object records, but not via the Business Admin tab collection. They cannot view the Lifecycle Stages Chevron panel on the Doc Info page or object record detail page. In Vaults that use Document Archive, Read-only Users cannot access the Archive tab.
- External Users are users outside your company who have slightly limited access; these users have most functionality, but Vault prevents them from accessing reports or dashboards (though they can receive flash report emails), using bulk document action, or creating CrossLink documents. With the required permissions, they can access the Business Admin tab collection, but can only view object record lists, and they can manage anchors on a document. Note that External User accounts must use an email address with a different domain from the Vault’s domain. This license type also grants users access to FTP servers.
- Portal Users (eTMF only) have slightly limited access; they have most functionality, but cannot access Admin, use reports and dashboards, or see configured custom tabs. When creating documents or using the Study Selector, they can only see Study, Study Country, Study Site, and Product records to which an Admin has granted them access. In order to prevent them from seeing information about other sites, the search suggestion feature is not enabled for these users.
- Site Users (Clinical Operations only) have access to a tailored Vault homepage, and benefit from Site User privacy controls. Other Vault access is determined by the selected security profile. Note that this license type is not available in new implementations. Veeva Site Connect provides similar functionality, enabling sponsors and CROs on Clinical Operations Vaults to securely exchange documents, document requests, and data with sites on SiteVault Vaults.
- View-Based Users (PromoMats and Vault Medical only) have extremely limited access; these users can only view documents (including annotations) and download documents. The system tracks the number of document views across all users with this license type against a pre-purchased set of views for the Vault.
- Learners (Vault Training only) have significantly limited access. These users can view documents and complete training assignments.
Application Licensing
Some Vaults use multiple applications, for example, a RIM Vault with Submissions and Registrations. In these Vaults, users have a license value for each application they can access. Application licensing lets the system track available licenses at the application level but does not control a user’s access in most Vaults. A single user assigned to three (3) applications will use three (3) application licenses, not one (1). Some license values may be unavailable depending on the application.
Note: Application licensing is only applicable to the following product families that utilize a user-based licensing model: Quality, QualityOne, RIM, RegulatoryOne, Safety, Medical, Commercial, Vault CRM, and Veeva Claims.
Quality Application Licenses
The table below lists the license values available depending on the Quality Suite application:
| Application | Valid License Values |
|---|---|
| QualityDocs | Full User, External User, Read Only User |
| Vault Training | Full User, External User, Learner User |
| Study Training | Full User, External User, Learner User |
| Station Manager | Full User |
| QMS | Full User, External User |
| Vault Product Surveillance | Full User, External User |
| Validation Management | Full User, External User |
| Batch Release | Full User |
RIM Application Licenses
The table below lists the license values available depending on the RIM Suite application:
| Application | Valid License Values |
|---|---|
| Registrations | Full User |
| Submissions | Full User, External User, Read Only User |
| Submissions Archive | Full User |
| Submissions Publishing | Full User |
License Exception Summary
The license exception summary assists Admins with identifying users with invalid application licenses and interpreting warning messages resulting from users attempting to access objects and tabs that are not part of their assigned license.
The downloaded license exception summary lists users with one or more exceptions and is ordered by who has the most recent license exceptions. The summary logs the following exceptions for each user, including the date and time of the exception:
- Last License Type Exception: Occurs when the value for a user’s License Type field is more permissive than the assigned application license values. For example, if a user has a License Type of Full User but is assigned Read-Only for all applications, their License Type should be Read-Only.
- {Application Name} - Last License Exception: Occurs when a user selects an incorrect license value for an application. For example, “QualityOne: QMS - Last License Exception” will appear in the summary if a QMS user is assigned a Read-Only license value.
- {Application Name} - Last Object or Tab Exception: Occurs when a user accesses an object or tab not permitted by their application license. The summary includes the last three (3) object or tab exception details.
Vault informs users of license exceptions in the form of warning banners. A user will encounter a warning banner if they attempt to view, create, or delete an object record or view a tab not permitted by their application license. If a user edits the configuration of an object not permitted by their application license, this exception is only visible in the license exception summary.
If a user encounters a warning banner, you should either update their application licensing to ensure they have access to the object or tab, or update the user’s security profile and permission sets to remove objects and tabs they don’t need access to.
Downloading the License Exception Summary
To download your Vault’s most recent summary, navigate to Admin > Settings > General Settings and click Download Exception Summary under the License Exceptions section. Next to the hyperlink, Vault displays the last date and time an exception was detected. The hyperlink is not available if Vault does not detect any exceptions.
Creating Users with Application Licenses
Keep the following recommendations in mind when creating users with application licenses:
- The License Type field is always hidden and defaulted on a User record’s details page, but is visible from the User object list view. When updated, application licenses are defaulted accordingly. We recommend always updating a user’s application license instead.
- When adding Vault membership assignments for domain users, you can still select a License Type. Application licenses are defaulted accordingly. We recommend updating the application license value from the User record’s details page.
Security Profiles
Security profiles are how Vault applies permission sets to individual users. Each profile has one or more associated permission sets.
Standard Security Profiles & Permission Sets
Vault includes several standard security profiles and associated permission sets. Each of these corresponds to a Vault user type from the previous releases and grants the same access as the user type. These are not editable, but Admins may disable them if needed.
| Security Profile | Permission Set | Description |
|---|---|---|
| Document User | Full User Actions | This profile grants full non-administrator application access (reports, workflows, etc.), but does not grant access to the Admin tab collection or to administrator actions (bulk update, merge anchors, create CrossLinks, etc.) in the Vault area. |
| Read-Only User | Read-Only User Actions | Permissions for this profile align with the Read-only Users license type access. |
| External User | External User Actions | Permissions for this profile align with the External User license type access. |
| Business Administrator | Business Administrator Actions | This profile grants “read” access to most parts of the Business Admin tab collection, edit access to some areas (create/edit/delete overlays, assign users to groups, etc.), and full access to all object records. The profile provides access many of the administrator actions in the Vault area (bulk update, merge anchors, create CrossLinks, etc.), but prevents access to some actions (cancel checkout, make saved views mandatory, “Vault Owner Actions,” etc). |
| System Administrator | System Administrator Actions | This profile grants “read” access to all of the Admin tab collection, edit access to all areas except Security Settings, and full access to all object records. The profile provides access to all of the administrator actions in the Vault area except those under “Vault Owner Actions” (All Document Read, Power Delete, etc.). |
| Vault Owner | Vault Owner Actions | This profile grants edit access to all of the Admin tab collection (including domain settings) and full access to all object records. (Users must also have the Domain Admin user profile setting to manage domain settings.) The profile provides access to all of the administrator actions in the Vault area including those under “Vault Owner Actions” (All Document Read, Power Delete, etc.). |
| Legal User | Legal Actions | This profile grants read, create, edit, and delete permission to records in the Legal Hold object. Users with this profile can apply and remove legal holds on documents. Users with this profile must have document role permissions to perform Legal Actions. |
| Portal Experience User | Portal Experience User Actions | This profile grants users the ability to access a Brand Portal without requiring additional access to Vault or in-depth Vault training. Users with this security profile only see Brand Portals and have no other access to or permissions in Vault. This is only available for PromoMats and MedComms Vaults. |
| View-Based User | View-Based User Actions | Permissions for this profile align with the View-Based Users license type access. This is only available for PromoMats and MedComms Vaults. |
| External IIS User | IIS External User Actions | This profile grants the ability to view, create, and edit Investigator Initiated Study records and to view IIS related records and documents. This is only available for Clinical Operations Vaults. |