In Vault, permission sets are a way to group permissions together. Security profiles then use the permission sets to grant or restrict users’ access to certain features, particularly system administration functions such as user management or object record creation. For example, the permission sets applied to the IT Administrator security profile allow users with that profile to manage users and groups, but not studies and sites.
Accessing Permission Set Configuration
To configure permission sets, you must have the Admin: Permission Sets: Read, Create, Edit, and Delete permissions.
With the right access, you can manage permission sets from Admin > Users & Groups > Permission Sets.
You can only grant permissions that you also have. For example, if you do not have any of the Vault Owner Actions section permissions, you cannot turn those permissions on when editing a permission set.
About ‘All’ Permissions
Throughout the permission sets configuration, there are permissions like All Configuration and All Audit. Granting these permissions gives users all permissions under them. However, this functions differently from simply selecting each sub-permission. If a future release of Vault adds new permissions to an area, permission sets with the ‘All’ permission will automatically select those new permissions.
About Permission Dependencies
Granting certain permissions automatically grants additional permissions. When editing, these dependent permissions will be greyed out as long as their controlling permission is selected.
For example, when you grant the Custom Actions > Delete permission, you automatically grant the Custom Actions > Edit permission.
Admin Permissions
Access to administrator-type functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings in the Admin tab of the Permission Sets page.
Note that in addition to license type, security profile, and permission set, some access is controlled by the Domain Admin user setting. Learn about Domain Admin.
Configuration
Permission
Access Details
Configuration > All Configuration
Grants all ‘Configuration’ permissions; individual permissions are explained below.
Configuration > All Configuration Read
Grants all ‘Read’ permissions in ‘Configuration’; individual permissions are explained below.
Email Settings > Read
Grants read-only permission to the Configuration > Email Settings page
Email Settings > Edit
Grants edit permission to the Configuration > Email Settings page
Login Message > Read
Grants read-only permission to the Configuration > Login Message page
Login Message > Edit
Grants edit permission to the Configuration > Login Message page
Business Admin Menu > Read
Grants read-only permission to Configuration > Business Admin Menu
Business Admin Menu > Edit
Grants edit permission to Configuration > Business Admin Menu
Picklist > Read
Grants read-only permission to the Business Admin > Picklist page
Picklist > Edit
Grants edit permission to the Business Admin > Picklist page
User Account Emails > Read
Grants read-only permission to the Configuration > User Account Emails page
User Account Emails > Edit
Grants edit permission to the Configuration > User Account Emails page
Custom Actions > Read
Grants read-only permission to the Configuration > Custom Actions page
Custom Actions > Create
Grants ability to create new custom actions in the Configuration > Custom Actions page
Custom Actions > Edit
Grants ability to edit existing custom actions in the Configuration > Custom Actions page
Custom Actions > Delete
Grants ability to delete custom actions in the Configuration > Custom Actions page
Document Types > Read
Grants read-only permission to the Configuration > Document Types page
Document Types > Create
Grants ability to create new document types, subtypes, and classifications in the Configuration > Document Types page
Document Types > Edit
Grants ability to edit existing document types, subtypes, and classifications in the Configuration > Document Types page
Document Types > Delete
Grants ability to delete document types, subtypes, and classifications in the Configuration > Document Types page
Document Fields > Read
Grants read-only permission to the Configuration > Document Fields page
Document Fields > Create
Grants ability to create new document fields in the Configuration > Document Fields page
Document Fields > Edit
Grants ability to edit existing document fields in the Configuration > Document Fields page
Document Fields > Delete
Grants ability to delete document fields in the Configuration > Document Fields page
Field Dependencies > Read
Grants read-only permission to the Configuration > Field Dependencies page
Field Dependencies > Create
Grants ability to create field dependencies in the Configuration > Document Fields page
Field Dependencies > Edit
Grants ability to edit existing field dependencies in the Configuration > Document Fields page
Field Dependencies > Delete
Grants ability to delete field dependencies in the Configuration > Document Fields page
Field Layouts > Read
Grants read-only permission to the Configuration > Field Layouts page
Field Layouts > Create
Grants ability to create new field layouts in the Configuration > Document Fields page
Field Layouts > Edit
Grants ability to edit existing field layouts in the Configuration > Document Fields page
Field Layouts > Delete
Grants ability to delete field layouts in the Configuration > Document Fields page
Document Lifecycles > Read
Grants read-only permission to Configuration > Document Lifecycles, including all sub-pages (lifecycles, states, etc.)
Document Lifecycles > Create
Grants ability to create new items within Configuration > Document Lifecycles including lifecycles, lifecycle states, and workflows
Document Lifecycles > Edit
Grants ability to edit existing items within Configuration > Document Lifecycles, including lifecycles, lifecycle states, and workflows
Document Lifecycles > Delete
Grants ability to delete existing items within Configuration >Document Lifecycles, including lifecycles, lifecycle states, and workflows
Object Lifecycles > Read
Grants read-only permission to Configuration > Object Lifecycles, including all sub-pages (lifecycles, states, etc.)
Object Lifecycles > Create
Grants ability to create new items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc.
Object Lifecycles > Edit
Grants ability to edit existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc.
Object Lifecycles > Delete
Grants ability to delete existing items within Configuration > Object Lifecycles, including lifecycles, lifecycle states, etc.
Messages > Read
Grants read-only permission to Configuration > Messages
Messages > Create
Grants ability to create new messages within Configuration > Messages
Messages > Edit
Grants ability to edit existing messages within Configuration > Messages
Messages > Delete
Grants ability to delete existing messages within Configuration > Messages
Objects > Read
Grants read-only permission to Configuration > Objects
Objects > Create
Grants ability to create new objects within Configuration > Objects
Objects > Edit
Grants ability to edit existing objects within Configuration > Objects
Objects > Delete
Grants ability to delete existing objects within Configuration > Objects
Overlays > Read
Grants read-only permission to Business Admin > Overlays
Overlays > Create
Grants ability to create new overlay templates within Business Admin > Overlays
Overlays > Edit
Grants ability to edit existing overlay templates within Business Admin > Overlays
Overlays > Delete
Grants ability to delete existing overlay templates within Business Admin > Overlays
Rendition Types > Read
Grants read-only permission to Configuration > Rendition Types
Rendition Types > Create
Grants ability to create new rendition types within Configuration > Rendition Types
Rendition Types > Edit
Grants ability to edit existing rendition types within Configuration > Rendition Types
Rendition Types > Delete
Grants ability to delete existing rendition types within Configuration > Rendition Types
Report Types > Read
Grants read-only permission to Configuration > Report Types
Report Types > Create
Grants ability to create new report types within Configuration > Report Types
Report Types > Edit
Grants ability to edit existing report types within Configuration > Report Types
Report Types > Delete
Grants ability to delete existing report types within Configuration > Report Types
Signature Pages > Read
Grants read-only permission to Business Admin > Signature Pages
Signature Pages > Create
Grants ability to create new signature page templates within Business Admin > Signature Pages
Signature Pages > Edit
Grants ability to edit existing signature page templates within Business Admin > Signature Pages
Signature Pages > Delete
Grants ability to delete existing signature page templates within Business Admin > Signature Pages
Templates > Read
Grants read-only permission to Business Admin > Documents & Binders
Templates > Create
Grants ability to create new document or binder templates within Business Admin > Documents & Binders
Templates > Edit
Grants ability to edit existing document or binder templates within Business Admin > Documents & Binders
Templates > Delete
Grants ability to delete existing signature page templates within Business Admin > Signature Pages
Logs > All Audit
Grants ability to view all audit histories in Admin > Logs
Logs > System Audit
Grants ability to view System Audit History in Admin > Logs
Logs > Login Audit
Grants ability to view Login Audit History in Admin > Logs
Logs > Document Audit
Grants ability to view Document Audit History in Admin > Logs
Logs > Object Record Audit
Grants ability to view Object Record Audit History in Admin > Logs
Logs > Domain Audit
Grants ability to view Domain Audit History in Admin > Logs
Domain Administration
Note that users must have the Domain Admin setting, in addition to these permissions, to manage domain-level settings.
Permission
Access Details
Domain Administration > All Domain Admin
Grants all permissions related to Domain Administration
Domain Administration > All Domain Admin Read
Grants read-only permissions to all Domain Administration areas
Domain Administration > Reset All Passwords
Grants permission to reset all user passwords; learn more about resetting passwords.
Domain Information > Read
Grants read-only permission to Settings > Domain Information
Domain Information > Edit
Grants edit permission to Settings > Domain Information
SSO Settings > Read
Grants read-only permission to Settings > Single Sign-On Settings
SSO Settings > Edit
Grants edit permission to Settings > Single Sign-On Settings
Security Policies > Read
Grants read-only permission to Settings > Security Policies
Security Policies > Create
Grants permission to create new security policies in Settings > Security Policies
Security Policies > Edit
Grants permission to edit existing security policies in Settings > Security Policies
Network Access Rules > Read
Grants read-only permission to Settings > Network Access Rules
Network Access Rules > Create
Grants permission to create new network access rules in Settings > Network Access Rules
Network Access Rules > Edit
Grants permission to edit existing network access rules in Settings > Network Access Rules
Network Access Rules > Delete
Grants permission to delete existing network access rules in Settings > Network Access Rules
Operations
Permission
Access Details
Operations > All Operations
Grants all permissions for job scheduler
Operations > All Operations Read
Grants read-only permissions all areas of the Operations tab
Jobs > Read
Grants read-only access to Operations > Job Definitions
Jobs > Create
Grants ability to create new job definitions
Jobs > Edit
Grants ability to edit existing job definitions
Jobs > Delete
Grants ability to delete job definitions
Jobs > Interact
Grants ability to manage scheduled job instances (start, stop, cancel, etc.)
Security
Permission
Access Details
Security > All Security Admin
Grants all ‘Security’ permissions; individual permissions are explained below.
Security > All Security Admin Read
Grants all ‘Read’ permissions in ‘Security’; individual permissions are explained below.
Security Settings > Read
Grants read-only access to Settings > Security Settings
Security Settings > Edit
Grants edit access to Settings > Security Settings
Users > Read
Grants read-only access to Users & Groups > Users
Users > Create
Grants access to create new users or add users from another vault from Users & Groups > Users
Users > Edit
Grants access to edit existing users from Users & Groups > Users
Users > Assign Group
Grants access to assign users to groups from Users & Groups > Users
Users > Grant Support Login
Grants permission to give Vault Support user account access for a specific user from Users & Groups > Users
Users > Delegate Admin
Grants permission to give delegate access to another user’s account from Users & Groups > Users
Groups > Read
Grants read-only access to Users & Groups > Groups
Groups > Create
Grants ability to create new groups from Users & Groups > Groups
Groups > Edit
Grants ability to edit existing groups from Users & Groups > Groups
Groups > Delete
Grants ability to delete existing groups from Users & Groups > Groups
Groups > Assign Users
Grants ability to assign users to groups from Users & Groups > Groups
Security Profiles > Read
Grants read-only access to Configuration > Security Profiles
Security Profiles > Create
Grants ability to create new security profiles from Configuration > Security Profiles
Security Profiles > Edit
Grants ability to edit existing security profiles from Configuration > Security Profiles
Security Profiles > Delete
Grants ability to delete existing security profiles from Configuration > Security Profiles
Security Profiles > Assign Users
Grants ability to assign users to a security profile from Users & Groups > Security Profiles; note that you must also have at least the same permissions as those associated with a security profile to assign users.
Permission Sets > Read
Grants read-only access to Configuration > Permission Sets
Permission Sets > Create
Grants ability to create new permission sets from Configuration > Security Profiles
Permission Sets > Edit
Grants ability to edit existing permission sets from Configuration > Security Profiles
Permission Sets > Delete
Grants ability to delete existing permission sets from Configuration > Security Profiles
Settings
Permission
Access Details
Settings > All Settings Edit
Grants edit permissions for all pages in Admin > Settings
Settings > All Settings Read
Grants read-only permission for all pages in Admin > Settings
General Information > Read
Grants read-only permission to the Settings > Help Settings page, as well as Vault Information, License Information, and API Information
General Information > Edit
Grants edit permission to the Settings > Help Settings page, as well as Vault Information, License Information, and API Information
General Configuration > Read
Grants read-only permission to the Settings > General Settings page
General Configuration > Edit
Grants edit permission to the Settings > General Settings page
Checkout > Read
Grants read-only permission to the Settings > Checkout Settings page
Checkout > Edit
Grants edit permission to the Settings > Checkout Settings page
Versioning > Read
Grants read-only permission to the Settings > Versioning Settings page
Versioning > Edit
Grants edit permission to the Settings > Versioning Settings page
Branding > Read
Grants read-only permission to the Settings > Branding Settings page
Branding > Edit
Grants edit permission to the Settings > Branding Settings page
Language > Read
Grants read-only permission to the Settings > Language Settings page
Language > Edit
Grants edit permission to the Settings > Language Settings page
Application > Read
Grants read-only permission to the Settings > Application Settings page
Application > Edit
Grants edit permission to the Settings > Application Settings page
Renditions > Read
Grants read-only permission to the Settings > Rendition Settings page
Renditions > Edit
Grants edit permission to the Settings > Rendition Settings page
Application Permissions
Access to certain Vault-area functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings in Application tab of the Permission Sets page.
There are three layers of security applied to actions. First, you must have a license type that allows the action. For example, the Read-Only User license type does not allow access to reports. Second, you must have a permission set that grants the correct permission. For example, you would need the Read Run Reports permission to run any report. Third, for document actions, you must have the correct document role-based permissions. For example, even with a permission set that grants the Bulk Update permission, you would also need the Edit Fields permission on any documents that you’re attempting to update in order to perform a bulk document field edit.
Vault Actions
Permission
Access Details
Vault Actions > All Vault Actions
Grants all ‘Vault Actions’ permissions; see details for individual permissions below.
Reporting > All Reports
Grants all ‘Reporting’ permissions; see details for individual permissions below.
Reporting > Read Run Reports
Grants permission to run any reports that other users have shared with you.
Reporting > Create
Grants permission to create new reports and to edit any reports that you created or to which other users have given you the Editor role.
Reporting > Delete
Grants permission to delete your own reports or reports to which other users have given you the Editor role.
Reporting > Share
Grants permission to use the Share action on reports that you created or to which other users have given you the Editor role.
Reporting > Administer
Grants permission to view and edit all reports, including reports created by another user who has not shared them; note that with this permission, a user may share and delete other users’ reports.
Workflow > All Workflow
Grants all ‘Workflow’ permissions; see details below for individual permissions. Note that this does not include ‘Workflow Administration’ permissions.
Workflow > Start
Grants permission to start workflows.
Workflow > Participate
Grants permission to participate in workflows.
Workflow > Read and Understand
Grants permission to participate in Read & Understood workflows.
Workflow > eSignature
Grants permission to provide an eSignature as part of a workflow.
Workflow Administration > All Workflow Admin
Grants all ‘Workflow Administration’ permissions; see details below for individual permissions. Note that this does not include ‘Workflow’ permissions.
Workflow Administration > Cancel
Grants permission to cancel any workflow that you can see, even if you are not the workflow owner.
Workflow Administration > View Active
Grants permission to view all active workflows, including those on which you are not a participant.
Workflow Administration > Reassign
Grants permission to reassign workflow tasks that are currently assigned to other users, even if you are not the workflow owner.
Workflow Administration > Add Participant
Grants permission to add a participant to a workflow, even if you are not the workflow owner.
Workflow Adminstration > Update Workflow Dates
Grants permission to update all workflow dates or specific task due dates, even if you are not the workflow owner.
API > All API
Grants all ‘API’ permissions; see details for individual permissions below.
API > Access API
Grants basic permission to complete an API call.
API > Events API
Grants access to the Events APIs, used in PromoMats vaults with CLM integration.
API > Metadata API
Grants access to metadata APIs.
CrossLink > Create CrossLink
Grants ability to create a CrossLink document if this functionality is available on your vault.
Viewer Administration > Manage Tags
Grants ability to manage annotation tags; learn more.
Viewer Administration > Merge Anchors
Grants ability to merge document link anchors; learn more.
Viewer Administration > Remove Annotations
Grants ability to remove annotations brought forward from another version by a different user
Document > Cancel Checkout
Grants ability to cancel checkout (using the Undo Checkout action) for documents that another user has checked out; note that you must also have the Edit Document role-based permission for a document to perform this action.
Document > Download Document
Grants ability to download document source files; note that you must also have the appropriate role-based permissions for a document to perform this action. This permission does not control access to the Check Out action or the Export Binder action.
Document > Bulk Delete
Grants ability to perform bulk document deletion; note that you’ll also need the correct document role-based permissions to delete a document.
Document > Download Rendition
Grants ability to download document renditions, including Viewable Rendition and PDF with Annotations; without this permission, you also cannot use the Export Annotations action. Note that you must also have the appropriate role-based permissions for a document to perform this action. This permission does not control access to the Export Binder action.
Document > Upload Unclassified
Grants the ability to create unclassified documents even without document creation permission on any document type, except for users with the Read-only license type. Users with Create Document permission on any document types are automatically allowed to create unclassified documents, regardless of this permission.
Search > Term Suggestions
Grants ability to see search term suggestions. Search term suggestions are not affected by any other permission. For example, a user will see a search term suggestion for “cholecap” even if they don’t have access to the “Cholecap” Product.
Application > Send to CDN
Grants ability to send a document to CDN through a private API; this permission is only used by CRM’s conversion tool for integrations and should not be applied to users.
Application > Approved Email
Grants ability to use the Create Email Fragment user action; learn more.
Application > Multichannel Loader
Ability to access the CRM Publishing and Multichannel Loader tabs; by default, this permission is only granted to users with the standard System Admin or Vault Owner security profiles.
Library > Bulk Update
Grants ability to perform bulk document actions; note that you’ll also need the correct document role-based permissions to complete these actions.
Views > Share Views
Grants ability to share custom views with other users.
Views > Make Mandatory
Grants ability to add a custom view to other users’ sidebar and make it non-removable; also grants ability to delete other users’ mandatory views. In vaults that include system-owned views created through cloning, this permission also grants the ability to delete those.
Audit Trail > View
Grants ability to access the Audit Trail option for individual documents and object records through the actions menu; note that you must also have the appropriate role-based permissions to perform this action.
Audit Trail > Export
Grants ability to export a document or object record audit trail; note that you must also have the Audit Trail > View permission before you can export.
RIM SubmissionsArchive > Import
Grants ability to import submission documents in RIM SubmissionsArchive vaults and to remove imported submission documents; you must also have the appropriate permissions on the Submissions object and on the specific object record.
RIM SubmissionsArchive > Export
Grants ability to export submission documents in RIM SubmissionsArchive vaults; you must also have the appropriate permissions on the Submissions object and on the specific object record.
FTP Staging > Download
Grants ability to connect to the FTP staging server and download files extracted using Vault Loader (document source files and renditions). This permission does not grant the ability to upload files to the server or view directories created by other users.
EDL Matching > Run
Ability to access the Start Now action on scheduled batch matching job or the Match Documents action on an individual EDL item
EDL Matching > Edit Match Fields
Ability to edit the EDL Matching Field picklist on an EDL record
Vault Owner Actions
These permissions control actions that were previously reserved for users with the Vault Owner user type.
Permission
Access Details
Vault Owner Actions > Re-render
Grants ability to re-render a document that already has a viewable rendition; see related article.
Vault Owner Actions > Power Delete
Grants ability delete documents that otherwise could not be deleted, for example, documents in steady state; see related article.
Vault Owner Actions > Vault Loader
Grants ability to see and use the Loader tab.
All Documents > All Document Actions
Grants all permissions in ‘All Documents’; see details for individual permissions below.
All Documents > All Document Read
Grants view access to all documents, regardless of the document’s Sharing Settings
All Documents > All Document Create
Grants access to create documents or binders for any document type, regardless of document type Create settings
All Object Records > All Object Records Actions
Grants access to all permissions in ‘All Object Records’; see details for individual permissions below.
All Object Records > All Object Record Read
Grants view access to all object records, regardless of the record’s Sharing Settings
All Object Records > All Object Record Edit
Grants edit access (same as Owner role) to all object records, regardless of the record’s Sharing Settings
All Object Records > All Object Record Delete
Grants delete access to all object records, regardless of the record’s Sharing Settings
Object Permissions
From the Objects tab, you can assign permission to view, create, edit, and delete object records at the object level. For example, a user could have full permissions to Study Site object records, Edit permission to Study records, Read access to Product records, and no access to Country records.
For each object, you can grant or remove the following permissions:
Read: Allows you to view records for the object; see details
Create: Allows you to create new object record or to copy an existing record
Edit: Allows you to edit an existing object record, including adding/deleting/versioning attachments
Delete: Allows you to delete an existing object record
Granting these permissions for All Objects means that the permission set will automatically include the permissions for any object created in the future.
Note that Custom Sharing Rules interacts with these settings to prevent users from viewing, editing, or deleting specific object records. If an object uses Custom Sharing Rules, users must have both the appropriate permission through their security profile and access through the individual object record’s sharing settings. When creating a record, Vault only considers the user’s permission sets. Learn more.
Tab Permissions
From the Tabs section, you can control what tabs a user can view. All standard and custom tabs can be configured here. If a user has the View permission on All Tabs, they can view newly created tabs by default.
About the Read Permission
Users must have the Read permission on an object to:
View a custom object tab
View an object tab in Business Admin
See object record details in a hovercard
Select an object record when editing document or object fields
Create a report using a report type that includes the object
View results for a report using a report type that includes the object
Users without this permission can still view object record labels throughout Vault. For example, they can still search for documents using object fields for an object they cannot view.