In Vault, permission sets are a way to group permissions together. Security profiles or user roles then use the permission sets to grant or restrict users’ access to certain features, particularly system administration functions such as user management or object record creation. For example, the permission sets applied to the IT Administrator security profile allow users with that profile to manage users and groups, but not studies and sites.

Accessing Permission Set Configuration

To configure permission sets, you must have the Admin: Permission Sets: Read, Create, Edit, and Delete permissions.

With the right access, you can manage permission sets from Admin > Users & Groups > Permission Sets.

About ‘All’ Permissions

Throughout the permission sets configuration, there are permissions like All Configuration and All Audit. Granting these permissions gives users all permissions under them. However, this functions differently from simply selecting each sub-permission. If a future release of Vault adds new permissions to an area, permission sets with the ‘All’ permission will automatically select those new permissions.

About Permission Dependencies

Granting certain permissions automatically grants additional permissions. When editing, these dependent permissions will be greyed out as long as their controlling permission is selected.

For example, when you grant the Web Actions: Delete permission, you automatically grant the Web Actions: Edit permission.

About User Role Permissions

As an added layer of access alongside security profiles, you can optionally grant permissions with User Roles added to User records. This can simplify complex security profile configurations. See Managing Permissions with User Roles for more information.

Admin Permissions

Access to administrator-type functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings on the Admin tab of the Permission Sets page.

Note that in addition to license type, security profile, user role, and permission set, some access is controlled by the Domain Admin user setting.

Configuration

Permission Access Details
Configuration: All Configuration Grants all ‘Configuration’ permissions; individual permissions are explained below.
Configuration: All Configuration Read Grants all ‘Read’ permissions in ‘Configuration’; individual permissions are explained below.
Email Settings: Read Grants read-only permission to the Configuration > Email Settings page
Email Settings: Edit Grants edit permission to the Configuration > Email Settings page
Login Message: Read Grants read-only permission to the Configuration > Login Message page
Login Message: Edit Grants edit permission to the Configuration > Login Message page
Business Admin Menu: Read This permission has been deprecated. Although it appears in the UI, it doesn’t control access to any part of Vault.
Business Admin Menu: Edit This permission has been deprecated. Although it appears in the UI, it doesn’t control access to any part of Vault.
Picklists: Read Grants read-only permission to the Business Admin > Picklist page
Picklists: Edit Grants edit permission to the Business Admin > Picklist page
Tags: Read Grants read-only permission to the Configuration > Document Tags page.
Tags: Edit Grants edit permission to the Configuration > Document Tags page.
User Account Emails: Read Grants read-only permission to the Configuration > User Account Emails page
User Account Emails: Edit Grants edit permission to the Configuration > User Account Emails page
Lifecycle Colors: Read Grants read-only permission to the Configuration > Lifecycle Colors page
Lifecycle Colors: Edit Grants edit permission to the Configuration > Lifecycle Colors page
Pages: Read Grants read-only permission to Configuration > Pages
Pages: Edit Grants edit permission to Configuration > Pages
Searchable Object Fields: Read Grants read-only permission to the Configuration > Searchable Objects page
Searchable Object Fields: Edit Grants edit permission to the Configuration > Searchable Objects page
Tabs: Read Grants read-only permission to the Configuration > Tabs page
Tabs: Create Grants the ability to create new tabs in the Configuration > Tabs page
Tabs: Edit Grants the ability to edit existing tabs in the Configuration > Tabs page
Tabs: Delete Grants ability to delete existing tabs in the Configuration > Tabs page
Tab Collections: Read Grants read-only permission to the Configuration > Tab Collections page
Tab Collections: Create Grants the ability to create new tabs collections in the Configuration > Tab Collections page
Tab Collections: Edit Grants the ability to edit existing tab collections in the Configuration > Tab Collections page
Tab Collections: Delete Grants ability to delete existing tab collections in the Configuration > Tab Collections page
Document Web Actions: Read Grants read-only permission to the Configuration > Web Actions page
Document Web Actions: Create Grants ability to create new web actions in the Configuration > Web Actions page
Document Web Actions: Edit Grants ability to edit existing web actions in the Configuration > Web Actions page
Document Web Actions: Delete Grants ability to delete web actions in the Configuration > Web Actions page
Object Web Actions: Read Grants read-only permission to the Configuration > Object Web Actions page
Object Web Actions: Create Grants ability to create new actions in the Configuration > Object Web Actions page
Object Web Actions: Edit Grants ability to edit existing actions in the Configuration > Object Web Actions page
Object Web Actions: Delete Grants ability to delete actions in the Configuration > Object Web Actions page
Document Types: Read Grants read-only permission to the Configuration > Document Types page
Document Types: Create Grants ability to create new document types, subtypes, and classifications in the Configuration > Document Types page
Document Types: Edit Grants ability to edit existing document types, subtypes, and classifications in the Configuration > Document Types page
Document Types: Delete Grants ability to delete document types, subtypes, and classifications in the Configuration > Document Types page
Document Fields: Read Grants read-only permission to the Configuration > Document Fields page
Document Fields: Create Grants ability to create new document fields in the Configuration > Document Fields page
Document Fields: Edit Grants ability to edit existing document fields in the Configuration > Document Fields page
Document Fields: Delete Grants ability to delete document fields in the Configuration > Document Fields page
Field Dependencies: Read Grants read-only permission to the Configuration > Field Dependencies page
Field Dependencies: Create Grants ability to create field dependencies in the Configuration > Document Fields page
Field Dependencies: Edit Grants ability to edit existing field dependencies in the Configuration > Document Fields page
Field Dependencies: Delete Grants ability to delete field dependencies in the Configuration > Document Fields page
Field Layout: Read Grants read-only permission to the Configuration > Field Layouts page
Field Layout: Create Grants ability to create new field layouts in the Configuration > Document Fields page
Field Layout: Edit Grants ability to edit existing field layouts in the Configuration > Document Fields page
Field Layout: Delete Grants ability to delete field layouts in the Configuration > Document Fields page
Document Lifecycles: Read Grants read-only permission to Configuration > Document Lifecycles, including all sub-pages (lifecycles, states, etc.)
Document Lifecycles: Create Grants ability to create new items within Configuration > Document Lifecycles including lifecycles, lifecycle states, and workflows
Document Lifecycles: Edit Grants ability to edit existing items within Configuration > Document Lifecycles, including lifecycles, lifecycle states, and workflows
Document Lifecycles: Delete Grants ability to delete existing items within Configuration > Document Lifecycles, including lifecycles, lifecycle states, and workflows
Object Lifecycles: Read Grants read-only permission to Configuration > Object Lifecycles, including all sub-pages (lifecycles, states, etc.)
Object Lifecycles: Create Grants ability to create new items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc.
Object Lifecycles: Edit Grants ability to edit existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc.
Object Lifecycles: Delete Grants ability to delete existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc.
Object Workflows: Read Grants read-only permission to Configuration > Object Workflows
Object Workflows: Create Grants ability to create new workflows within Configuration > Object Workflows
Object Workflows: Edit Grants ability to edit existing workflows within Configuration > Object Workflows
Object Workflows: Delete Grants ability to delete existing workflows within Configuration > Object Workflows
Document Messages: Read Grants read-only permission to Configuration > Document Messages
Document Messages: Create Grants ability to create new messages within Configuration > Document Messages
Document Messages: Edit Grants ability to edit existing messages within Configuration > Document Messages
Document Messages: Delete Grants ability to delete existing messages within Configuration > Document Messages
Object Messages: Read Grants read-only permission to Configuration > Object > Messages
Object Messages: Create Grants ability to create new messages within Configuration > Object Messages
Object Messages: Edit Grants ability to edit existing messages within Configuration > Object Messages
Object Messages: Delete Grants ability to delete existing messages within Configuration > Object > Messages
Objects: Read Grants read-only permission to Configuration > Objects
Objects: Create Grants ability to create new objects within Configuration > Objects
Objects: Edit Grants ability to edit existing objects within Configuration > Objects
Objects: Delete Grants ability to delete existing objects within Configuration > Objects
Overlays: Read Grants read-only permission to Business Admin > Templates > Overlays
Overlays: Create Grants ability to create new overlay templates within Business Admin > Templates > Overlays
Overlays: Edit Grants ability to edit existing overlay templates within Business Admin > Templates > Overlays
Overlays: Delete Grants ability to delete existing overlay templates within Business Admin > Templates > Overlays
Rendition Types: Read Grants read-only permission to Configuration > Rendition Types
Rendition Types: Create Grants ability to create new rendition types within Configuration > Rendition Types
Rendition Types: Edit Grants ability to edit existing rendition types within Configuration > Rendition Types
Rendition Types: Delete Grants ability to delete existing rendition types within Configuration > Rendition Types
Report Types: Read Grants read-only permission to Configuration > Report Types
Report Types: Create Grants ability to create new report types within Configuration > Report Types
Report Types: Edit Grants ability to edit existing report types within Configuration > Report Types
Report Types: Delete Grants ability to delete existing report types within Configuration > Report Types
Signature & Cover Pages: Read Grants read-only permission to Business Admin > Templates > Signature & Cover Pages
Signature & Cover Pages: Create Grants ability to create new signature page templates within Business Admin > Templates > Signature & Cover Pages
Signature & Cover Pages: Edit Grants ability to edit existing signature page templates within Business Admin > Templates > Signature & Cover Pages
Signature & Cover Pages: Delete Grants ability to delete existing signature page templates within Business Admin > Templates > Signature & Cover Pages
Formatted Output Records: Read Grants read-only permission to Business Admin > Templates > Formatted Outputs
Formatted Output Records: Create Grants ability to create new formatted outputs within Business Admin > Templates > Formatted Outputs
Formatted Output Records: Edit Grants ability to edit existing formatted outputs within Business Admin > Templates > Formatted Outputs
Formatted Output Records: Delete Grants ability to delete existing formatted outputs within Business Admin > Templates > Formatted Outputs
Templates: Read Grants read-only permission to Business Admin > Templates > Documents & Binders
Templates: Create Grants ability to create new document or binder templates within Business Admin > Templates > Documents & Binders
Templates: Edit Grants ability to edit existing document or binder templates within Business Admin > Templates > Documents & Binders
Templates: Delete Grants ability to delete existing document or binder templates within Business Admin > Templates > Documents & Binders
Business Admin Objects: Read Grants the ability to to view and access the Objects tab within Business Admin.
Logs: All Audit Grants ability to view all audit histories in Admin > Logs
Logs: System Audit Grants ability to view System Audit History in Admin > Logs
Logs: Login Audit Grants ability to view Login Audit History in Admin > Logs
Logs: Document Audit Grants ability to view Document Audit History in Admin > Logs
Logs: Object Record Audit Grants ability to view Object Record Audit History in Admin > Logs
Logs: Domain Audit Grants ability to view Domain Audit History in Admin > Logs
Logs: Vault Java SDK Logs Grants ability to view the Vault Java SDK Logs in Admin > Logs, such as the Debug Log and Runtime Log.
Logs: API Usage Grants ability to view API Usage Logs in Admin > Logs
Logs: Collab Auth Error Logs Grants ability to view Collaborative Authoring Error Log in Admin > Logs
Spark Queues: Read Grants read-only permission to Spark queues in Connections > Spark Queues
Spark Queues: Create Grants ability to create Spark queues in Connections > Spark Queues
Spark Queues: Edit Grants ability to edit existing Spark queues in Connections > Spark Queues
Spark Queues: Delete Grants ability to delete Spark queues in Connections > Spark Queues
Spark Queues: Queue Log Grants ability to view the Spark Queue Log in Admin > Logs
Vault Java SDK: Read Grants read permission on components using the Vault Java SDK
Vault Java SDK: Create Grants create permission on components using the Vault Java SDK
Vault Java SDK: Edit Grants edit permission on components using the Vault Java SDK
Vault Java SDK: Delete Grants delete permission on components using the Vault Java SDK
Vault Tokens: Read Grants the ability to view Vaulttoken records using MDL.
Vault Tokens: Create Grants the ability to create Vaulttoken records using MDL.
Vault Tokens: Edit Grants the ability to alter Vaulttoken records using MDL.
Vault Tokens: Delete Grants the ability to drop Vaulttoken records using MDL.
Inbound Email Addresses: Read Grants read-only permission to Configuration > Inbound Email Addresses
Inbound Email Addresses: Create Grants ability to create new addresses in Configuration > Inbound Email Addresses
Inbound Email Addresses: Edit Grants ability to edit existing addresses in Configuration > Inbound Email Addresses
Inbound Email Addresses: Delete Grants ability to delete existing addresses in Configuration > Inbound Email Addresses
Inbound Email Addresses: Email Log Grants ability to view the Email Log in Admin > Logs
Inbound Email Addresses: Reprocess Emails Grants ability to use the Reprocess Emails user action
Inbound Email Addresses: Delete Emails Grants ability to use the Delete Emails user action

Domain Administration

Permission Access Details
Domain Administration: All Domain Admin Grants all permissions related to Domain Administration
Domain Administration: All Domain Admin Read Grants read-only permissions to all Domain Administration areas
Domain Administration: Reset All Passwords Grants permission to reset all user passwords.
Domain Information: Read Grants read-only permission to Settings > Domain Information
Domain Information: Edit Grants edit permission to Settings > Domain Information
SSO Settings: Read Grants read-only permission to Settings > SAML Profiles
SSO Settings: Edit Grants edit permission to Settings > SAML Profiles
Security Policies: Read Grants read-only permission to Settings > Security Policies
Security Policies: Create Grants permission to create new security policies in Settings > Security Policies
Security Policies: Edit Grants permission to edit existing security policies in Settings > Security Policies
Network Access Rules: Read Grants read-only permission to Settings > Network Access Rules
Network Access Rules: Create Grants permission to create new network access rules in Settings > Network Access Rules
Network Access Rules: Edit Grants permission to edit existing network access rules in Settings > Network Access Rules
Network Access Rules: Delete Grants permission to delete existing network access rules in Settings > Network Access Rules

Operations

Permission Access Details
Operations: All Operations Grants all permissions for job scheduler and Rendition Status
Operations: All Operations Read Grants read-only permissions all areas of the Operations tab
Jobs: Read Grants read-only access to Operations > Job Definitions
Jobs: Create Grants ability to create new job definitions
Jobs: Edit Grants ability to edit existing job definitions
Jobs: Delete Grants ability to delete job definitions
Jobs: Interact Grants ability to manage scheduled job instances (start, stop, cancel, etc.)
Renditions: Read Grants read-only access to Operations > Rendition Status
SDK Job Queues: Read Grants read-only permission to SDK job queues in Operations > SDK Job Queues
SDK Job Queues: Create Grants ability to create SDK job queues in Operations > SDK Job Queues
SDK Job Queues: Edit Grants ability to edit SDK job queues in Operations > SDK Job Queues
SDK Job Queues: Delete Grants ability to delete SDK job queues in Operations > SDK Job Queues
Email Notifications: Read Grants permission to view the Operations > Email Notification Status page and the Admin > Operations > Email Suppression List page
Email Notifications: Delete Grants the ability to delete a record from the Email Suppression list

Security

Permission Access Details
Security: All Security Admin Grants all ‘Security’ permissions; individual permissions are explained below.
Security: All Security Admin Read Grants all ‘Read’ permissions in ‘Security’; individual permissions are explained below.
Security Settings: Read Grants read-only access to Settings > Security Settings
Security Settings: Edit Grants edit access to Settings > Security Settings
Users: Read Grants read-only access to Users & Groups > Vault Users
Users: Create Grants access to create new users or add users from another Vault from Users & Groups > Vault Users
Users: Edit Grants access to edit existing users from Users & Groups > Vault Users
Users: Assign Group Grants access to assign users to groups from Users & Groups > Vault Users
Users: Grant Support Login Grants permission to give Vault Support user account access for a specific user from Users & Groups > Vault Users
Users: Delegate Admin Grants permission to give delegate access to another user’s account from Users & Groups > Vault Users
Users: Add Cross-Domain Users Grants permission to add cross-domain users from Users & Groups > Vault Users
Users: Manage User Object Grants ability to create, modify, and add User object records.
Groups: Read Grants read-only access to Users & Groups > Groups
Groups: Create Grants ability to create new groups from Users & Groups > Groups
Groups: Edit Grants ability to edit existing groups from Users & Groups > Groups
Groups: Delete Grants ability to delete existing groups from Users & Groups > Groups
Groups: Assign Users Grants ability to assign users to groups from Users & Groups > Groups
Security Profiles: Read Grants read-only access to Configuration > Security Profiles
Security Profiles: Create Grants ability to create new security profiles from Configuration > Security Profiles
Security Profiles: Edit Grants ability to edit existing security profiles from Configuration > Security Profiles
Security Profiles: Delete Grants ability to delete existing security profiles from Configuration > Security Profiles
Security Profiles: Assign Users Grants ability to assign users to a security profile from Users & Groups > Security Profiles; note that you must also have at least the same permissions as those associated with a security profile to assign users.
Permission Sets: Read Grants read-only access to Configuration > Permission Sets
Permission Sets: Create Grants ability to create new permission sets from Configuration > Security Profiles
Permission Sets: Edit Grants ability to edit existing permission sets from Configuration > Security Profiles
Permission Sets: Delete Grants ability to delete existing permission sets from Configuration > Security Profiles

About

Permission Access Details
About: Vault Information: Read Grants read-only permission to the Admin > About > Vault Information page
About: Domain Information: Read Grants read-only permission to the Admin > About > Domain Information page

Settings

Permission Access Details
Settings: All Settings Edit Grants edit permissions for all pages in Admin > Settings
Settings: All Settings Read Grants read-only permission for all pages in Admin > Settings
General Configuration: Read Grants read-only permission to the Settings > Help Settings page as well as feature enablement
General Configuration: Edit Grants edit permission to the Settings > Help Settings page as well as feature enablement
General Configuration: Read Grants read-only permission to the Settings > General Settings page
General Configuration: Edit Grants edit permission to the Settings > General Settings page
Checkout: Read Grants read-only permission to the Settings > Checkout Settings page
Checkout: Edit Grants edit permission to the Settings > Checkout Settings page
Versioning: Read Grants read-only permission to the Settings > Versioning Settings page
Versioning: Edit Grants edit permission to the Settings > Versioning Settings page
Branding: Read Grants read-only permission to the Settings > Branding Settings page
Branding: Edit Grants edit permission to the Settings > Branding Settings page
Search: Read Grants read-only permission to the Settings > Search Settings page
Search: Edit Grants edit permission to the Settings > Search Settings page
Language: Read Grants read-only permission to the Settings > Language Settings page
Language: Edit Grants edit permission to the Settings > Language Settings page
Application: Read Grants read-only permission to the Settings > Application Settings page
Application: Edit Grants edit permission to the Settings > Application Settings page
Renditions: Read Grants read-only permission to the Settings > Rendition Settings page
Renditions: Edit Grants edit permission to the Settings > Rendition Settings page

Deployment

Permission Access Details
Migration Packages: Create Grants ability to create new outbound Configuration Migration Packages from Admin > Deployment
Migration Packages: Deploy Grants ability to deploy Configuration Migration Packages from Admin > Deployment
Environment: Vault Configuration Report Grants ability to run a Vault Configuration Report from Admin > Deployment
Environment: Vault Comparison Grants ability to use Vault Compare from Admin > Deployment
Sandbox: Read Grants ability to view sandboxes in the Admin > Deployment > Sandbox Vaults page
Sandbox: Create Grants ability to create sandboxes in the Admin > Deployment > Sandbox Vaults page. Also grants the ability to build and promote a pre-production Vault to a production Vault.
Sandbox: Edit Grants ability to edit and refresh sandboxes in the Admin > Deployment > Sandbox Vaults page
Sandbox: Delete Grants ability to delete and refresh sandboxes in the Admin > Deployment > Sandbox Vaults page

Application Permissions

Access to certain Vault-area functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings in Application tab of the Permission Sets page.

There are three layers of security applied to actions. First, you must have a license type that allows the action. For example, the Read-Only User license type does not allow access to reports. Second, you must have a permission set that grants the correct permission. For example, you would need the Read Dashboards and Reports permission to see any dashboard. Third, for document actions, you must have the correct document role-based permissions. For example, even with a permission set that grants the Bulk Update permission, you would also need the Edit Fields permission on any documents that you’re attempting to update in order to perform a bulk document field edit.

Vault Actions

Permission Access Details
Vault Actions: All Vault Actions Grants all 'Vault Actions' permissions; see details for individual permissions below.
Dashboards and Reports: All Grants all 'Dashboard' permissions; see details for individual permissions below.
Dashboards and Reports: Read Dashboards and Reports Grants permission to run any reports that other users have shared with you.
Dashboards and Reports: Create Dashboards Grants permission to create new dashboards and to edit any dashboards that you created or to which other users have given you the Editor role.
Dashboards and Reports: Delete Dashboards Grants permission to delete your own dashboards or dashboards to which other users have given you the Editor role.
Dashboards and Reports: Share Dashboards Grants permission to use the Share action on dashboards that you created or to which other users have given you the Editor role.
Dashboards and Reports: Schedule Reports Grants permission to use the Schedule action to schedule flash reports.
Dashboards and Reports: Administer Dashboards Grants permission to view and edit all dashboards, including dashboards created by another user who has not shared them; note that with this permission, a user may share and delete other users' dashboards.
Dashboards and Reports: Display API Name Dashboards Grants permission to view the API names of dashboards.
Dashboards and Reports: Read Group Membership Grants permission to view reports that contain both users and groups.
Workflow: All Workflow Grants all 'Workflow' permissions; see details below for individual permissions. Note that this does not include 'Workflow Administration' permissions.
Workflow: Start Grants permission to start workflows.
Workflow: Participate Grants permission to participate in workflows. Also grants permission to use VQL to query workflow data. Learn more in the Developer Documentation.
Workflow: Read and Understand Grants permission to participate in Read & Understood workflows.
Workflow: eSignature Grants permission to provide an eSignature as part of a workflow.
Workflow: Query Grants permission to use VQL to query workflow data. Learn more in the Developer Documentation.
Workflow Administration: All Workflow Admin Grants all 'Workflow Administration' permissions; see details below for individual permissions. Note that this does not include 'Workflow' permissions.
Workflow Administration: Cancel Grants permission to cancel any active workflow or open task that you can see, even if you are not the workflow or task owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security.
Workflow Administration: View Active Grants permission to view all active Read & Understood workflows on the document for non-current document versions in Quality Vaults, including those on which you are not a participant.
Workflow Administration: Reassign Grants permission to reassign workflow tasks that are currently assigned to other users, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security.
Workflow Administration: Update Participants Grants permission to add a participant to a workflow, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security.
Workflow Administration: Email Participants Grants permission to email workflow participants, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security. Learn more about Managing Active Document Workflows or Managing Active Object Workflows.
Workflow Administration: Update Workflow Dates Grants permission to update all workflow dates or specific task due dates, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security.
Workflow Administration: Replace Workflow Owner Grants permission to replace the workflow owner on an active workflow.
API: All API Grants all 'API' permissions; see details for individual permissions below.
API: Access API Grants basic permission to complete an API call and download files from the file staging server. Users must have both this permission and File Staging: Access to download files.
API: Events API Grants access to the Events APIs, used in PromoMats Vaults with CLM integration.
API: Metadata API Grants access to metadata APIs, including read and write access to MDL APIs.
API: Direct Data API Grants access to the Direct Data API.
CrossLink: Create CrossLink Grants ability to create a CrossLink document if this functionality is available on your Vault.
Viewer Administration: Manage Tags Grants ability to manage annotation tags.
Viewer Administration: Merge Anchors Grants ability to merge document link anchors.
Viewer Administration Remove Annotations Grants ability to remove annotations brought forward from another version by a different user
Viewer Administration: Manage Anchors Grants ability to bring forward anchors. Brought forward anchors have no inbound references. This permission also grants the ability to move and delete any anchor that does not have an inbound reference, and the ability to edit the name of any anchor.
Document: Cancel Checkout Grants ability to cancel checkout (using the Undo Checkout action) for documents that another user has checked out; note that you must also have the Edit Document role-based permission for a document to perform this action. Document Owners can always cancel checkout if they have the Edit Document role-based permission.
Document: Download Document Grants ability to download document source files; note that you must also have the appropriate role-based permissions for a document to perform this action. This permission does not control access to the Check Out action or the Export Binder action.
Document: Download Rendition Grants ability to download document renditions, including Viewable Rendition and PDF with Annotations; without this permission, you also cannot use the Export Annotations action. Note that you must also have the appropriate role-based permissions for a document to perform this action. This permission does not control access to the Export Binder action.
Document: Bulk Delete Grants ability to perform bulk document deletion; note that you'll also need the correct document role-based permissions to delete a document.
Document: Bulk Update Grants ability to perform bulk document updates; note that you'll also need the correct document role-based permissions to update a document.
Document: Always Allow Unclassified Grants the ability to create unclassified documents even without document creation permission on any document type, except for users with the Read-only license type. Users with Create Document permission on any document types are automatically allowed to create unclassified documents, regardless of this permission.
Document: Vault File Manager Grants ability to check out documents to Vault File Manager using the Check Out to File Manager action or Document Check Out bulk action.
Document: Download Non-Protected Rendition Grants ability to download viewable renditions without any Vault-configured security settings or Vault protection applied.
Object: Bulk Action Grants the ability to perform bulk object record updates; note that you'll also need the correct object role-based permissions to update an object record.
Object: Merge Records Grants the ability to perform record merges; note that you'll also need the correct object role-based permissions to read, update, and delete the object records.
User: Allow As A Delegate Grants the permission to allow a user to be selected as a delegate through the Delegated Access feature.
User: View User Information Grants the ability to view the name and identifying information of other users in this Vault, use the Send as Link action, and view Timeline View and Sharing Settings information on the Doc Info page. Users without this permission may only see the names and identifying details of other users who share the same email domain. For example, Teresa, whose email is tibanez@veepharm.com can see the user information of all @veepharm.com users, but she can't see @medi-review.com users.
User: View User Profile Grants users the ability to view their own user profile and see the User Profile option in their user dropdown menu.
Search: Manage Archives Grants ability to manage search archives; note that this also grants the View Archive permission.
Search: Term Suggestions Grants ability to see search term suggestions. Search term suggestions are not affected by any other permission. For example, a user will see a search term suggestion for "cholecap" even if they don't have access to the "Cholecap" Product.
Search: User Filters Grants ability to see filters on user reference fields when searching for documents or object records, for example, Created By and Last Modified By. This setting is typically disabled for security profiles that apply to sponsors when a CRO wants to hide user information.
Search: View Archive Grants ability to view documents in the archive; note that you'll also need the correct document role-based permissions.
Application: Send to CDN Grants ability to send a document to CDN through a private API; this permission is only used by CRM's conversion tool for integrations and should not be applied to users.
Application: Approved Email Grants ability to use the Create Email Fragment.
Application: Multichannel Loader Ability to access the CRM Publishing and Multichannel Loader tabs; by default, this permission is only granted to users with the standard System Admin or Vault Owner security profiles.
Views: Share Views Grants ability to share custom views with other users.
Views: View Administration Grants ability to:
  • Add a custom view to other users' sidebar and make it non-removable
  • Modify any other mandatory view
  • Delete other users' mandatory views
  • Select custom view icons
  • Delete system-owned views created through cloning (where applicable)
Audit Trail: View Grants ability to access the Audit Trail option for individual documents and object records through the All Actions menu; note that you must also have the appropriate role-based permissions to perform this action.
Audit Trail: Export Grants ability to export a document or object record audit trail; note that you must also have the Audit Trail > View permission before you can export.
File Staging: Access Grants ability to connect to the file staging server and download files extracted using Vault Loader (document source files and renditions). This permission does not grant the ability to upload files to the server or view directories created by other users. Users must have both this permission and API: Access API to download files.
File Staging: Access via Vault File Manager Grants ability to connect to the file staging server and upload files and folders using Vault File Manager. This permission does not grant the ability to upload files to the server or view directories created by other users.
EDL Matching: Run Ability to access the Start Now action on scheduled batch matching job or the Match Documents action on an individual EDL item
EDL Matching: Edit Match Fields Ability to edit the EDL Matching Field picklist on an EDL record
EDL Matching: Edit Document Matches Ability to lock the document version matched with an EDL Item record, exclude or include matched documents in summary fields, and manually match/unmatch documents from an EDL Item
Create Button: Show Create Button Ability to see the Create button on all tabs. This option is turned on by default on all existing standard and custom permission sets and turned off by default on all new custom permission sets.

Vault Owner Actions

These permissions control actions that were previously reserved for users with the Vault Owner user type.

Permission Access Details
Vault Owner Actions: Re-render Grants ability to save page rotations, re-render a document that already has a viewable rendition, and delete a viewable rendition; see related article.
Vault Owner Actions: Power Delete Grants ability delete documents that otherwise could not be deleted, for example, documents in steady state; see related article.
Vault Owner Actions: Vault Loader Grants ability to see and use the Loader tab.
Vault Owner Actions Record Migration Grants ability to load object records (through Vault Loader or API only) in a lifecycle state other than Starting State
Vault Owner Actions: Document Migration Grants ability to apply Document Migration Mode only to a batch of new documents upon creation through Vault Loader or API; see related article.
All Documents: All Document Actions Grants all permissions in ‘All Documents’; see details for individual permissions below.
All Documents: All Document Read Grants view access to all documents, regardless of the document’s Sharing Settings.
All Documents: All Document Create Grants access to create documents or binders for any document type, regardless of document type Create settings
All Object Records: All Object Records Actions Grants access to all permissions in ‘All Object Records’; see details for individual permissions below.
All Object Records: All Object Record Read Grants view access to all object records, regardless of the record’s Sharing Settings.
All Object Records: All Object Record Edit Grants edit access (same as Owner role) to all object records, regardless of the record’s Sharing Settings.
All Object Records: All Object Record Delete Grants delete access to all object records, regardless of the record’s Sharing Settings.
Legal Hold: Apply Grants ability to apply/edit a legal hold to a single document or as a bulk action.
Legal Hold: Remove Grants ability to remove a legal hold from a single document or as a bulk action.
Connections: Manage Connections Grants the ability to view and manage connections in the Connections tab in Vault Admin.
Integrations: Manage Integrations Grants the ability to view and manage integration configuration such as user exception messages, integration rules, and Spark message processors in the Connections tab in Vault Admin.

Client Applications

These permissions control actions related to Veeva Snap.

Permission Access Details
Veeva Snap: Enable Grants ability to upload a document to Vault from the Veeva Snap mobile application.
Veeva Snap: Enable Direct Installation Grants ability to use the public version of Veeva Snap available from the Apple App Store. Without this permission, Vault users must use the Veeva Snap application version provisioned by their organization.

Object Permissions

From the Objects tab, you can assign permission to view, create, edit, and delete object records at the object level. For example, a user could have full permissions to Study Site object records, Edit permission to Study records, Read access to Product records, and no access to Country records. From this tab, you can also set up field-level security, action-level security, and object control-level security on objects.

For each object, you can grant or remove the following permissions:

  • Read: Allows you to view records for the object; see details
  • Create: Allows you to create new object record or to copy an existing record; allows you to access Business Admin > Objects. With this permission, Vault automatically grants Edit permission.
  • Edit: Allows you to edit an existing object record, including adding/deleting/versioning attachments; allows you to access Business Admin > Objects
  • Delete: Allows you to delete an existing object record

Granting these permissions for All Objects means that the permission set will automatically include the permissions for any object created in the future.

Object Control Permissions

You can also modify permissions for object controls from the Objects tab. Object controls are used to control whether users are able to view certain UI elements. Object controls associated with a given object or available to all objects appear under the Object Control Permissions heading.

Unlike object fields or actions, the only permission that you can assign for object controls is View. You can assign this permission on a single control or select All Object Controls. If the object control is associated with an object type, you can only grant View permissions across all object types. You cannot grant View permissions per control per object type.

Dynamic Access Control

Dynamic Access Control interacts with these settings to prevent users from viewing, editing, or deleting specific object records. If an object uses DAC, users must have both the appropriate permission through their security profile and access through the individual object record’s sharing settings. When creating a record, Vault only considers the user’s permission sets.

Tab Permissions

From the Tabs section, you can control what tabs and tab collections a user can view. All standard tabs, custom tabs, and custom tab collections can be configured here. By default, users with the View permission on All tabs can view newly created tabs, and users with the View permission on All Tab Collections can view newly created tab collections.

About the Read Permission

Users must have the Read permission on an object to:

  • View a custom object tab
  • View an object tab in Business Admin
  • See object record details in a hovercard
  • Select an object record when editing document or object fields
  • Create a report using a report type that includes the object
  • View results for a report using a report type that includes the object

Users without this permission can still view object record labels throughout Vault. For example, they can still search for documents using object fields for an object they cannot view.

Pages Permissions

From the Pages section, you can control which application-specific Pages a user can access.

Mobile Permissions

From the Mobile section, you can control which tabs a user can view in Veeva Vault Mobile.

API Permissions

From the API section, you can see which Web API Groups a user can access. Learn more about Web APIs in the Vault Java SDK documentation.

Hidden or Missing Permissions

When you open a permission set, some of the permissions listed above will not appear. If a permission does not appear:

  • The permission is specific to another Vault application or another application family. For example, the permission is specific to RIM and you are in a Clinical Operations Vault.
  • The permission is related to a feature that is not enabled on your Vault. Sometimes, permissions are hidden when the related feature is not enabled.