# Configuring Atomic Security for Documents

Atomic Security allows more granular control for various actions. Atomic Security for Documents is available for active workflow actions and for configured document lifecycle actions. With Atomic Security for Documents, Admins can define access to actions by document lifecycle state and document lifecycle role. For example, users in the _Editor_ role may be able to access **Cancel Workflow** while a document is in _Review_ state, but not in other states.

Active workflow actions are options for workflow instances that are in progress, for example, _Add Participants_ and _Cancel Workflow_.

Configured document lifecycle actions allow users to start a workflow and change a document's state. Some Vaults include custom document actions as well. With or without Atomic Security, this access is controlled by document role and document lifecycle state. When using Atomic Security, however, Vault provides access control at the action level. For example, there may be two user actions to start workflows for a document in _Review_ state: **Start Review** and **Start Rush Approval**. A user in the _Editor_ role could have access to **Start Review**, but not **Start Rush Approval**. Without Atomic Security, the user role permissions would allow access to all configured start workflow actions.

## Changes to Document Security

Atomic Security for Documents: Active Workflow Actions and Atomic Security: Document Lifecycle Actions is enabled in all Vaults. The enablement of this feature includes the following changes on document lifecycle and security pages:

  * The **Atomic Security** tab appears in the lifecycle state configuration.
  * **Start Workflow** permission disappears from the security matrix.
  * **Change State** permission disappears from the security matrix.
  * **Multi-Channel Actions** permission appears in the security matrix.

### Migration (Document Lifecycle Actions)

There should be no changes to user access in your Vault. To make this possible, Vault performed the following migration actions:

  * For all configured user actions (previously controlled by _Start Workflow_ and _Change State_ permissions), Vault set the _State Behavior_ to _Execute_.
  * Vault applied overrides to hide these actions for any role that did not include the controlling permission before enablement.
  * Vault granted access to the new _Multi-channel Actions_ permission for any roles which included _Start Workflow_ permission.

### Multi-Channel Actions Permission (Document Lifecycle Actions)

In previous releases, access to certain Multichannel functionality was controlled by the **Start Workflow** permission. Atomic Security for Documents introduced the new **Multi-Channel Actions** permission to control these actions:

  * Create Presentation
  * Send to CLM
  * Preview CLM

### Document Workflow (Formerly Multi-Document Workflow) Actions

The enablement of Atomic Security for Documents results in the following changes to document workflow (formerly multi-document workflow) action access:

* By default, the Atomic Security behavior option for user actions that start document workflows is _Execute_. Previously, these actions were hidden in individual document action menus if the role did not have _Start Workflow_ permission in its security configuration, but with this change, the actions are now visible without this permission. Even before this change, users could start these workflows from bulk views such as **Cart**, **Favorites**, or **Recent Documents**.
* Atomic security now brings consistent access enforcement. Admins can prevent users from starting document workflows in both individual document action menus and bulk views via Atomic Security configuration.
* Previously, only workflow initiators could perform the **Remove Content** action. With this Atomic Security enablement, the default behavior for all roles for the **Remove Content** action is now _Execute_. This is an active workflow action only applicable for document workflows with multiple documents. This behavior allows participants to remove content. This behavior can be overridden by state and role-based Atomic Security.


##  Accessing Atomic Security Settings {#accessing-atomic-security-settings}

To access Atomic Security settings for a lifecycle state, navigate to **Admin > Configuration > Document Lifecycles > [Lifecycle] > States > [State] > Atomic Security**.

<a href="https://platform.veevavault.help/assets/images/Atomic_Security_Docs_20R14.png" data-lightbox="Atomic_Security_Docs_20R14.png" data-title="" data-alt="Atomic Security Settings">
  <img class="docimage" src="https://platform.veevavault.help/assets/images/Atomic_Security_Docs_20R14.png" alt="Atomic Security Settings" style=""  />
</a>

## How to Set Behavior for Actions {#workflow-actions}

When configuring Atomic Security for document lifecycle states, you first set the default behavior and then overrides for specific roles. The default behavior will apply to any new roles created, and to any roles where an override is not set. If access to an action should be more restrictive, you would set the **State Behavior** to **Hide** or (for document lifecycle actions only) **View**, which ensures that only roles explicitly given access can execute the action. If access to an action should be less restrictive, you would set the **State Behavior** to **Execute**, which ensures that all roles have access unless explicitly prevented.

Remember that Atomic Security configuration happens within a single lifecycle state, so access to an action may be more or less restrictive based on the document's state.

Note that access to the **Cancel Task** and **Reassign Task** actions in single-document workflows depends on the options selected in the task configuration, rather than Atomic Security.

To set default and override behavior for workflow actions:

  1. From the **Atomic Security** tab, click **Edit**.
  2. Select a default **State Behavior** for each action.
  3. Create overrides by clicking **+ Role Override**.
  4. Within the _Search: Lifecycle Role_ window, click the green **+** icon for one or more roles. Click **OK** when finished.
  5. In the grid, select an [override behavior][1] for each role.
  6. Click **Save**. Changes to Atomic Security go into effect immediately.

### Behavior Options {#behavior}

When setting a default and override behavior, you see the following options:

  * **Hide** will hide the action from users, preventing it from appearing in the workflow **Actions** menu.
  * **View** (only available for document lifecycle actions) will allow users to see the option in the document **Actions** menu, but it will be grayed out and not clickable to prevent them from executing the action on a document.
  * **Execute** will allow users to execute the action on a document.

## Related Permissions

The following permissions control access to Atomic Security configuration:

<table class="wbord">
  <tr>
    <td>
      <p>
        <strong>Type</strong>
      </p>
    </td>
    <td>
      <p>
        <strong>Permission Label</strong>
      </p>
    </td>
    <td>
      <p>
        <strong>Controls</strong>
      </p>
    </td>
  </tr>
  <tr>
    <td>
      <p>
        Security Profile
      </p>
    </td>
    <td>
      <p>
        Document Lifecycles: Edit
      </p>
    </td>
    <td>
      <p>
        Ability to modify settings in the <strong>Atomic Security</strong> tab for document lifecycle states
      </p>
    </td>
  </tr>
</table>

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Workflow Initiators and Coordinators have access to workflow actions regardless of permissions or Atomic Security Settings. Vault also bypasses Atomic Security for users with the standard <em>Vault Owner</em> security profile.</p>
    </div>
  </div>
</div>



 [1]: #behavior