Sandbox Vaults are copies of your production Vault, which your organization can use to develop and test configuration changes, data migrations, and integrations, without affecting your production Vault and users. Sandbox Vaults are critical to an effective change control process. Creating a sandbox for a new project and refreshing your sandboxes often will help your organization avoid issues and delays when deploying changes in production.

Vault Admins can create, refresh, and delete sandboxes through the Admin UI or API. Sandbox administration options are available from the production Vault.

When you log into sandbox Vaults, they will have a green banner to help you distinguish between your sandbox and production Vaults.

The green Vault header in a sandbox Vault.

You can remove this styling using the SBX button next to the Vault logo. Once removed, you must log out and log back in to get the styling back. Refreshing the page also returns the styling. This can be useful for taking screenshots in your sandbox Vaults when you want to simulate a user’s actual experience.

Sandbox Domains

Veeva provides one sandbox domain and one production domain. UAT Vaults should be in the sandbox domain. If you are testing domain-level settings, Veeva can provide an additional domain for that purpose.

Sandbox Sizes & Limits

Sandbox Vaults are available in the following sizes with corresponding limits:

  • Small: Allows 100,000 total object records and 10,000 document versions
  • Medium: Allows 1,000,000 total object records and 100,000 document versions
  • Large: Allows 10,000,000 total object records and 1,000,000 document versions
  • Very Large: Allows 100,000,000 total object records and 10,000,000 document versions
  • Extra Large: Allows 500,000,000 total object records and 50,000,000 document versions
  • Full: Allows the same number of total object records and document versions as the production domain

The limit on total object records excludes system-managed object records and configuration data. Sandbox Vaults that exceed these limits are blocked from creating new object records or documents. To remove this block, delete object records or document versions. Admins can then recheck usage values to ensure the Vault is compliant.

There is a limit of 5GB of document templates, both active and inactive, per sandbox Vault. If you clone a Vault with more than 5GB, the resulting sandbox will not have any document templates copied to it.

Sandbox Expiration

Small sandboxes automatically expire after 30 days of inactivity. Vault sends an email warning to Vault Owners twice before sandbox deletion. Blocked or inactive sandbox Vaults display a warning on the Name field on the Admin > Deployment > Sandbox Vaults page of the parent Vault.

Viewing Usage Details

To view the usage details for a specific sandbox Vault, navigate to Admin > Deployment > Sandbox Vaults and click the Vault name. The limit usage values that appear here update once every 24 hours.

The usage details of a sandbox Vault.

To view the usage details of the sandbox Vault you’re currently logged into, navigate to Admin > Settings and view the License Information. The limit usage values that appear here are initially zero (0) when you create or refresh the Vault. Click Recheck Usage to recalculate usage values. This action can be initiated up to three (3) times in a 24-hour period.

To view the specific objects and document versions that are consuming data, navigate to Admin > Settings > Vault Data Usage Information.

Creating Sandbox Vaults

Customers are entitled to four (4) Small, two (2) Medium, and one (1) Full configuration sandbox Vaults for every production Vault. If you require more sandboxes, you can place an add-on order with Veeva’s finance team. Sandbox Vaults are always in your sandbox domain.

How to Create Vaults

To create a new sandbox Vault:

  1. In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
  2. Under Active Sandbox Vaults, click Create.
  3. Select whether to create a sandbox From Vault or From Snapshot. See details about sandbox snapshots.
  4. Enter a Name for the new sandbox. See details for Vault names.
  5. Select Configuration as the Type. At this time, this is the only sandbox type available.
  6. Select a Size. See details about sandbox sizes and limits.
  7. Select a Release. See details about sandbox release versions.
  8. Select a Domain for the new Vault. In most cases, there will only be one domain available.
  9. Optional: Clear the Vault Owner: Current User checkbox. See details about adding Vault owners.
  10. Click Finish.
  11. Optional: If the source Vault contains more than 5GB of document templates, Vault displays a warning. Click Continue to proceed without copying any document templates, or Cancel to stop the sandbox creation process.
  12. The creation process generally takes less than one (1) hour, but may take up to eight (8) hours. When complete, Vault sends you a notification.

Vault Name

When creating a new sandbox, the Name value must follow these rules:

  • Must be unique across all sandbox Vaults for the current Vault and all Vaults in the domain; note that you may not be able to view all Vaults in the domain.
  • Special characters do not make the name unique, for example, UAT:Sandbox and UAT-Sandbox won’t count as unique names
  • Names are not case sensitive, for example, UAT_Sandbox and uat_sandbox won’t count as unique names

Add Current User as Vault Owner

The Vault Owner: Current User setting adds the Vault Admin creating the sandbox as a Vault Owner in the sandbox Vault, using Cross-Domain User functionality. If you do not enable this setting, the Domain Admin users in the sandbox domain will become Vault Owners in the sandbox Vault.

Managing Sandbox Allowances

Manage sandbox allowances across all your sandboxes, including those created from another sandbox.

The Available Sandbox Vaults section lists the following sandbox limits and allowances:

  • Size: The sandbox size available.
  • Available: The total number of sandboxes available for creation or for granting to another sandbox allowance.
  • Allowed: The total number of sandbox entitlements granted to the current Vault.
  • Temporary: If enabled, any temporary sandbox allowances.

The Active Sandbox Vaults section provides sandbox details for all current sandboxes of which the current Vault is a direct or indirect parent, including those created from within a source other than the current sandbox.

How to Set Sandbox Allowances

You can only manage sandboxes created from the current (logged-in) Vault. Sandboxes cloned from other sandboxes are available for login and viewing only. To set allowances for a sandbox:

  1. In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
  2. Under Active Sandbox Vaults, find the Vault you want to modify the allowances for. From the Actions menu on the Name field, select Set Allowance.
  3. Select the action to take, either Grant or Revoke.
  4. Select the allowance size from the drop-down and enter the number of allowances to grant or revoke. The number of available allowances is shown below the input field.
  5. Optional: When granting allowances, check Use Temporary Allowance to create allowances out of your pool if temporary allowances are enabled in your Vault.

How to Change Sandbox Size

A Vault Admin can convert a sandbox from one size to another if there are sufficient allowances and the current sandbox meets the data and user limits of the requested size.

To change the size of a sandbox:

  1. In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
  2. Under Active Sandbox Vaults, find the Vault you want to change the size for. From the Actions menu on the Name field, select Change Size.
  3. Select the Requested Size. The Available Sandbox Vaults section shows the number of sandboxes available by size. If a requested size has no sandboxes available, you are unable to save your selection.
  4. Click Save. Vault immediately changes the size of the sandbox and enforces the limits associated with the new size. This change does not affect existing data and configuration.

To change the sizes of multiple sandboxes:

  1. In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
  2. From the Actions menu for Active Sandbox Vaults, select Change Sandbox Sizes.
  3. Select the Requested Size for each sandbox. The Available Sandbox Vaults section shows the number of sandboxes available by size. If a requested size has no sandboxes available, you are unable to save your selection.
  4. Click Save. Vault immediately changes the size of the sandbox and enforces the limits associated with the new size. This change does not affect existing data and configuration.

How Configuration Copying Works

When creating or refreshing a sandbox, Vault copies (clones) the configuration from your production Vault. The following are not included:

  • Documents
  • Object records for certain objects (This list varies by application. You can find the list for your application in the Data Usage Information section of the Admin > Settings > General Settings page. This list is subject to change without notice.)
  • Users (Groups are included in the configuration copy, but user membership is not.)
  • Auto Managed Groups where the Allow selection in configurations setting is not enabled
  • Domain-level settings, such as SSO and security policies
  • User-specific security overrides (We recommend configuring security overrides using groups, not individual users.)
  • Submission data in RIM Submissions Archive Vaults (The final dossier must be imported separately.)

You can recreate most of the excluded items in the new sandbox Vault using Configuration Migration Packages and Vault Loader.

You may also need to re-establish your Vault’s connection records.

Currently Processing Error

In some cases, attempting to create or refresh a sandbox will result in the following error:

Vault is currently processing a separate action. Please try sandboxing again later.

This occurs when the Vault is in the process of enabling or upgrading a feature. During this process, we block any configuration cloning actions in order to prevent invalid configurations in the sandbox. We suggest waiting 20 to 60 minutes and trying again. If this error persists for more than 90 minutes, contact Veeva Support.

Refreshing Sandbox Vaults

Refreshing an existing sandbox Vault overwrites the sandbox configuration with the latest configuration from the source Vault. Refreshing a sandbox does not delete or overwrite its existing snapshots. See the above section for a list of items that Vault excludes during sandbox creation and refresh.

How often a sandbox can be refreshed depends on its size:

  • Small: Up to five (5) times in a 24-hour period
  • Medium: Once in a 24-hour period
  • Large: Once in a 24-hour period
  • Very Large: Once in a 24-hour period
  • Extra Large: Once in a 24-hour period
  • Full: Once in a 24-hour period

A sandbox can be refreshed from any snapshot built from:

  • The sandbox being refreshed
  • The parent Vault of the sandbox being refreshed
  • The source Vault of the snapshot used to build the sandbox being refreshed

How to Refresh Vaults

To refresh a Vault:

  1. In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
  2. Under Active Sandbox Vaults, find the Vault you need to refresh. Click the Actions menu on the Name field and choose Refresh from Vault or Refresh from Snapshot. See details about sandbox snapshots.
  3. If you select Refresh from Vault, a message appears to warn you that refreshing deletes the Vault’s current configuration. If you select Refresh from Snapshot, choose a snapshot in the dialog from which to refresh your Vault and click Continue. A message appears to warn you that refreshing deletes the Vault’s current configuration. Click Continue to start the refresh process. The refresh process generally takes less than one (1) hour but may take up to eight (8) hours. When complete, Vault sends you a notification.

Overwriting Configuration

There is no way to retrieve configurations, data, or documents from a previous version of the sandbox Vault after refreshing, however, you can create a Test Data package to export configurations and object data before refreshing your sandbox and import the package after refreshing.

As with creating new sandboxes, Vault does not include users from the production Vault when refreshing. However, Vault does preserve Vault membership from the previous sandbox configuration, so you do not need to re-add the users who previously had access.

Refreshing removes all files from the file staging server.

Sandbox Users

Sandbox users with assigned security profiles that exist in the production Vault retain their access rights after a refresh.

Users with assigned security profiles that do not exist in the production Vault do not get added automatically after a refresh. Vault owners must add those users manually, and select a new security profile at that time.

When refreshing a sandbox, only domain-level User fields retain their values. Administers should review and set User record fields on the refreshed sandbox as needed.

Deleting Sandbox Vaults

Existing sandbox Vaults may be deleted unless the sandbox is a source Vault for a different sandbox. In most cases, you would refresh a sandbox Vault, rather than deleting. Deleting is only required if you need a sandbox with a different name or need to remove all existing sandbox users. Deleting a sandbox Vault also deletes any snapshots created from this Vault. Deleted sandboxes cannot be recovered.

How often a sandbox can be deleted depends on its size:

  • Small: Unlimited
  • Medium: Once in a 24-hour period
  • Large: Once in a 24-hour period
  • Very Large: Once in a 24-hour period
  • Extra Large: Once in a 24-hour period
  • Full: Once in a 30-day period

How to Delete Vaults

To delete a Vault:

  1. In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
  2. Under Active Sandbox Vaults, find the Vault you need to delete. From the Actions menu of the Name field, choose Delete.
  3. A message appears to warn you that you cannot recover a deleted Vault. Click Continue to start the deletion process. The delete process may take several minutes. When complete, Vault sends you a notification.

Linked Vault File Staging Servers

Some Vaults are set up with “linked” File Staging Servers, meaning that the sandbox shares a File Staging Server with another Vault. File Staging Servers are only linked by customer request through Veeva Support. If your sandbox has a linked File Staging Server, you will need to contact Veeva Support to unlink the sandbox from the shared File Staging Server before you can delete the Vault.

Granting Access to Sandbox Vaults

When creating a new sandbox, you have the option to add the current user with the Vault Owner profile. See Add Current User as Vault Owner. These Vault Owner users can configure access for other users. Users with the appropriate access can also remove the automatically added Vault Owners if needed.

User access works as it does in production Vaults: Admins can add entirely new users, grant access to existing domain users, or add cross-domain users.

Logging into Sandbox Vaults

Users with access to a Sandbox Vault can log into the sandbox using the same Login page as the production Vault. Production Vault Owners, or Admins with appropriate permissions, can also log into the sandbox from the Admin area:

  1. In the production Vault, navigate to Admin > Deployment > Sandbox Vaults.
  2. Under Active Sandbox Vaults, use the gear icon on the Name field to open the action menu and choose Log in for the appropriate sandbox.
  3. Enter valid sandbox user credentials on the Login page.

Sandbox Release Versions

In general, sandboxes have the same release version as the production Vault. However, some organizations with General Release Vaults have options for creating a sandbox using a Limited Release version. Each Limited Release version sandbox Vault counts toward the total configuration sandboxes allowed per production Vault.

This feature allows customers the ability to manage their own Limited Release sandbox to proactively assess new functionality ahead of each General Release. For example, an Admin in a 21R1 General Release Vault could create a sandbox that uses the 21R1.2 Limited Release version.

By default, administration options for sandbox Vaults are only available to Vault Owners. To grant access to other users, use a custom security profile with the following permissions:

Type Permission Label Controls
Security Profile Admin: Sandbox: Read Ability to view sandboxes in the Admin > Deployment > Sandbox Vaults page
Security Profile Admin: Sandbox: Create Ability to create sandboxes in the Admin > Deployment > Sandbox Vaults page
Security Profile Admin: Sandbox: Edit Ability to edit and refresh sandboxes in the Admin > Deployment > Sandbox Vaults page
Security Profile Admin: Sandbox: Delete Ability to delete and refresh sandboxes in the Admin > Deployment > Sandbox Vaults page