# Managing Security Profiles & Permission Sets

Security profiles are the primary way that Vault applies permission sets to individual users. Permission sets grant users the ability to view or edit certain Admin areas, or to access certain end user features. This article explains how to create and manage custom profiles and custom permission sets.

Vault includes standard security profiles and permission sets that are not editable, but also allows Admins to create and manage custom profiles and sets. You can create up to 100 custom security profiles. Standard security profiles do not count towards this limit.

If your organization is not using a certain standard security profile, you can change its status to _Inactive_. This option is not available for standard permission sets.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: When implementing any custom security or access control, Admins should perform User Acceptance Testing before making changes on a production site. Some changes can affect application-specific functionality in ways that make Vault difficult to use.</p>
    </div>
  </div>
</div>



## Role Permissions

To avoid complex security profile configurations, you can use an alternate method of [assigning permission sets via user roles](/en/lr/69197/). This is helpful when users may require varying permission sets based on training or process ownership. Role permissions do not replace security profiles, instead acting as additional incremental permissions through role assignment.

## How to Create New Profiles

To create a new profile:

  1. From **Admin > Users & Groups > Security Profiles**, click **Create**.
  2. Optional: Set the status to **Inactive** if the profile should not be assigned to users yet.
  3. Enter a **Name** for the profile and a **Description**.
  4. Click **Save**.
  5. Open the security profile and click **Add** to assign a permission set to the profile. Choose to add an existing set or create a new set.
  6. If adding an existing set, select it from the dialog's picklist and click **OK**. If creating a new set, see [below][4] for details.
  7. Optional: Add additional permission sets. Clear a selected permission set by hovering over the set's name, then choosing **Remove** from the actions (gear) menu.

## How to Create Profiles by Copying

To create a new security profile by copying an existing profile:

  1. From **Admin > Users & Groups > Security Profiles**, hover over the original profile's name and select **Make a Copy** from the actions (gear) menu.
  2. Choose whether to also copy linked permission sets. If you choose **OK**, Vault creates a copy of each linked set. If you choose **No**, Vault automatically links the new security profile to the same permission sets as the original profile.
  3. Optional: Set the status to **Inactive** if the profile should not be assigned to users yet.
  4. Update the **Name** and **Description** for the profile.
  5. Click **Save**. Vault will prevent you from saving the copied security profile if the original profile includes permission sets with permissions that you do not have.
  6. Optional: Open the security profile to add or remove permission sets. Clear a selected permission set by hovering over the set's name, then choosing **Remove** from the actions (gear) menu. Add a set by clicking **Add** and choosing to add an existing set or create a new set.

## How to Edit Profiles {#edit_profiles}

You can edit a security profile by opening it from **Admin** > **Users & Groups** > **Security Profiles**. Click **Edit** to modify the security profile's basic details or activate/deactivate the profile. (You cannot deactivate a profile that has users assigned.) You can add permission sets to a profile using the **Add** drop-down menu. To remove a permission set, hover over the set's name and choose **Remove** from the actions (gear) menu. Permission sets on security profiles are sorted alphabetically.

For standard security profiles, the only editing option available is deactivating the profile.

## How to Assign Users to Security Profiles {#assign}

When editing users, there are various ways that you can [assign users to security profiles](/en/lr/953/). This article covers assigning users from inside the security profile.

To assign users to a security profile:

  1. From **Admin > Users & Groups > Security Profiles**, click into the profile. Open the **Users** tab.
  2. Click **Edit Members**.
  3. In the dialog, add a user by clicking the green plus (**+**) icon. Remove a user by clicking the red minus icon. If needed, you can search for users and filter on various criteria. When finished, click **Close**.

## How to Create New Permission Sets {#create_permission_set}

To create a new permission set:

  1. From **Admin > Users & Groups > Permission Sets**, click **Create**.
  2. Optional: Set the status to **Inactive** if the permission set should not be assigned to security profiles yet.
  3. Enter a **Name** for the permission set and a **Description**.
  4. Click **Save**.
  5. Open the permission set.
  6. Navigate to the **Admin**, **Application**, **Objects** or **Tab** section and click **Edit**.
  7. Add permissions to the permission set by selecting their checkbox. For details on each permission, see [About Permission Sets](/en/lr/22824/). When you finish with the permissions on one tab, click **Save**. Vault will prevent you from saving if you've added a permission that you do not have.
  8. Repeat this process for the **Admin**, **Application**, **Object**, and **Tab** sections.
  9. When finished, you can add the permission set to one or more security profiles. See details [above][8].

## How to Create Permission Sets by Copying {#copy_permission_set}

To create a new permission set by copying an existing set:

  1. From **Admin > Users & Groups > Permission Sets**, hover over the original permission set's name and select **Make a Copy** from the actions (gear) menu.
  2. Optional: Set the status to **Inactive** if the permission set should not be assigned to security profiles yet.
  3. Update the **Name** and **Description** for the permission set.
  4. Click **Save**. Vault will prevent you from saving the copied permission set if the original set includes a permission that you do not have.
  5. Open the permission set.
  6. Navigate to the **Admin**, **Application**, or **Object** tab and click **Edit**.
  7. Add permissions to the permission set by selecting their checkbox. For details on each permission, see [About Permission Sets](/en/lr/22824/). When you finish with the permissions on one tab, click **Save**. Vault will prevent you from saving if you've added a permission that you do not have.
  8. Repeat this process for the **Admin**, **Application**, and **Object** tabs.
  9. When finished, you can add the permission set to one or more security profiles. See details [above][8].

## How to Edit Permission Sets {#how_to_edit_permission_sets}

You can edit a custom permission set by opening it from **Admin > Users & Groups > Permission Sets**. Click **Edit** to modify the permission set's basic details or activate/deactivate it.

You cannot deactivate a permission set that is assigned to a security profile, even if the profile is inactive. Change the permissions granted by the set by opening the appropriate tab (**Admin**, **Application**, **Objects**) and clicking **Edit**.

You cannot edit standard permission sets.

## Related Permissions {#related-permissions}

The following permissions control your access to manage security profiles:

|**Permission**                          |**Access Details**          |
|--- |--- |
|_Admin: Security Profiles: Create_      |Allows you to create a new security profile or make a copy of an existing profile. Without the _Edit_ permission, you cannot make changes to the profile after creating it.|
|_Admin: Security Profiles: Edit_        |Allows you to open and edit an existing security profile.|
|_Admin: Security Profiles: Delete_      |Allows you to delete an existing custom security profile.|
|_Admin: Security Profiles: Assign Users_|Allows you to assign users to a security profile.|
|_Admin: Permission Sets: Create_        |Allows you to create or copy permission sets. When copying profiles, Vault prompts you to also copy permission sets; you can only do that with this permission.|
|_Admin: Permission Sets: Edit_          |Allows you to open and edit an existing permission set.|
|_Admin: Permission Sets: Delete_        |Allows you to delete an existing custom security profile.|

Vault also prevents you from performing various actions that would grant permissions that you do not have. The blocked actions include:

  * Assigning a permission set to a security profile if you do not have all permissions in that permission set.
  * Copying a security profile that includes a permission set with permissions that you do not have.
  * Assigning users to a security profile that includes a permission set with permissions you do not have.
  * Saving a permission set that contains permissions you do not have. This applies when creating a new permission set or editing an existing set.
  * Copying a permission set that contains permissions you do not have.

### Restricted Vault Owner Profile & Permission Set

You must have the standard [_Vault Owner_](/en/lr/31186/) security profile to:

  * Copy or edit the _Vault Owner_ profile
  * Copy the [_Vault Owner Actions_](/en/lr/22824/#vault-owner-actions) permission set

 [4]: #create_permission_set
 [8]: #edit_profiles