With Dynamic Access Control, Admins can control user role assignment by managing records in the User Role Setup object. Records in this object correspond to auto-managed groups. User Role Setup object records include a user, role, and several object reference field values that qualify a user’s context for the role.

To provide a more nuanced method of role assignment, you can configure object types on the standard User Role Setup (user_role_setup__v) object. Using object types on User Role Setup allows you to use different sets of five (5) fields for matching rules, instead of a single set of five on the standard object. Unlike creating additional objects using the User Role Setup object class, using object types maintains all of your User Role Setup records within the single object.

How to Enable Object Types for User Role Setup

To enable this feature, you must enable object types on the User Role Setup object. This feature is available only for the standard User Role Setup object (user_role_setup__v), and not any objects you may have created using the User Role Setup object class.

To enable object types:

  1. Navigate to Admin > Configuration > Objects > User Role Setup.
  2. Click Edit.
  3. Select the Enable Object Types checkbox.
  4. Click Save.

Object types are now available for your standard User Role Setup object.

Configuring User Role Setup Object Types

Once you enable object types for User Role Setup, you can configure object types for the standard User Role Setup object. Configure object types to create the object types and assign fields to each type. You can create up to two (2) object types for the standard User Role Setup object. Once you create object types for User Role Setup, the base object type (base__v) is disabled.

With object types for User Role Setup, you can use more than the five (5) context field limit for documents by using a different selection of five fields per object type. Simply create the context fields you would like to use, and then assign them to the appropriate object type.

Example: Roles Grouped by Application

Gladys is a system administrator for her organization’s RIM Vault. Her organization uses both RIM Submissions and RIM Registrations. Gladys has been managing users in her Vault with a single User Role Setup object and only five context fields. Because these two RIM applications serve different purposes, she needs to control user access differently across each function.

Gladys can create two object types for User Role Setup, one for each application:

  • Submissions Role Setup
  • Registrations Role Setup

This way, she can use different sets of context fields for each application.

Gladys might create Submissions Role Setup for users working primarily in the Submissions application. For her Submissions users, Gladys wants to restrict access by Submission Type. She can do so by adding a Submission Type context field to her Submissions Role Setup object type. However, Submission Type is not relevant to the Registrations application. Adding Submission Type to the two other object types does not impact the Registrations Role Setup object type’s five context field limit. Gladys can use five entirely different context fields for that object type.

Application Roles & User Role Setup Types

You can choose to assign an Application Role to a specific object type of User Role Setup, or to assign the Application Role to no object types of User Role Setup.

When you create a new Application Role in your Vault, you can select a Standard User Role Setup Type for your role. The options here correspond to the object types you configured on the User Role Setup object. Your selection here creates the relationship between the Application Role and the User Role Setup object type.

Based on this relationship, Vault only displays the appropriate matching fields when you configure a sharing rule for that role.

Configuring Sharing Rules with User Role Setup Types

When you are creating sharing rules and are using User Role Setup object types, identify which Application Roles correspond to which User Role Setup object types. As you configure sharing roles in your Vault, which Application Role you select during creation drives which matching fields Vault displays. Vault displays the matching fields for the User Role Setup type related to the chosen Application Role.

If an Application Role has no Standard User Role Setup Type selected, Vault does not display any matching fields.

You can complete the steps described in this article with the standard System Admin and Vault Owner security profiles.

If your Vault uses custom security profiles, your profile must include the following permissions:

Type Permission Controls
Security Profile Admin: Objects: Edit Ability to edit objects in Admin > Configuration > Objects.
Security Profile Objects: User Role Setup: Create, Edit Ability to create and edit object records for the User Role Setup object.
Security Profile Objects: Application Role: Create, Edit Ability to create and edit object records for the Application Role object.