Sandbox Vaults are copies of your production Vault, which your organization can use to develop and test configuration changes, data migrations, and integrations, without affecting your production Vault and users. Sandbox Vaults are critical to an effective change control process. Creating a sandbox for a new project and refreshing your sandboxes often will help your organization avoid issues and delays when deploying changes in production.
Vault Admins can create, refresh, and delete sandboxes through the Admin UI or API. Sandbox administration options are available from the production Vault.
When you log into sandbox Vaults, they will have a green banner to help you distinguish between your sandbox and production Vaults.
You can remove this styling using the SBX button next to the Vault logo. Once removed, you must log out and log back in to get the styling back. Refreshing the page also returns the styling. This can be useful for taking screenshots in your sandbox Vaults when you want to simulate a user’s actual experience.
Note: For production Vaults granted temporary sandboxes on top of their sandbox limit, Veeva will begin deleting sandboxes that have exceeded their expiration date starting September 1, 2024.
With 24R3, the Admin > Deployment > Sandbox Vaults page will display a warning when a Veeva Vault service enhancement is underway. During this time, creating or refreshing your Sandbox Vault may take longer than usual. All other Vault features will remain fully operational.
Sandbox Domains
Veeva provides one sandbox domain and one production domain. UAT Vaults should be in the sandbox domain. If you are testing domain-level settings, Veeva can provide an additional domain for that purpose.
Sandbox Sizes & Limits
Sandbox Vaults are available in the following sizes with corresponding limits:
- Small: Allows 100,000 total object records and 10,000 document versions
- Medium: Allows 1,000,000 total object records and 100,000 document versions
- Large: Allows 10,000,000 total object records and 1,000,000 document versions
- Very Large: Allows 100,000,000 total object records and 10,000,000 document versions
- Extra Large: Allows 500,000,000 total object records and 50,000,000 document versions
- Full: Allows the same number of total object records and document versions as the production domain
The limit on total object records excludes system-managed object records and configuration data. Sandbox Vaults that exceed these limits are blocked from creating new object records or documents. To remove this block, delete object records or document versions. Admins can then recheck usage values to ensure the Vault is compliant.
There is a limit of 5GB of document templates, both active and inactive, per sandbox Vault. If you clone a Vault with more than 5GB, the resulting sandbox will not have any document templates copied to it.
Sandbox Expiration
Small sandboxes automatically expire after 30 days of inactivity. Vault sends an email warning to Vault Owners twice before sandbox deletion. Blocked or inactive sandbox Vaults display a warning on the Name field on the Admin > Deployment > Sandbox Vaults page of the parent Vault.
Viewing Usage Details
To view the usage details for a specific sandbox Vault, navigate to Admin > Deployment > Sandbox Vaults and click the Vault name. The limit usage values that appear here update once every 24 hours.
To view the usage details of the sandbox Vault you’re currently logged into, navigate to Admin > Settings and view the License Information. The limit usage values that appear here are initially zero (0) when you create or refresh the Vault. Click Recheck Usage to recalculate usage values. This action can be initiated up to 100 times in a 24-hour period.
To view the specific objects and document versions that are consuming data, navigate to Admin > Settings > Vault Data Usage Information.
Creating Sandbox Vaults
Customers are entitled to four (4) Small, two (2) Medium, and one (1) Full configuration sandbox Vaults for every production Vault. If you require more sandboxes, you can place an add-on order with Veeva’s finance team. Sandbox Vaults are always in your sandbox domain.
How to Create Vaults
To create a new sandbox Vault:
- In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
- Under Active Sandbox Vaults, click Create.
- Select whether to create a sandbox From Vault or From Snapshot. See details about sandbox snapshots.
- Enter a Name for the new sandbox. See details for Vault names.
- Select Configuration as the Type. At this time, this is the only sandbox type available.
- Select a Size. See details about sandbox sizes and limits.
- Select a Release. See details about sandbox release versions.
- Select a Domain for the new Vault. In most cases, there will only be one domain available.
- Optional: Clear the Vault Owner: Current User checkbox. See details about adding Vault owners.
- Click Finish.
- Optional: If the source Vault contains more than 5GB of document templates, Vault displays a warning. Click Continue to proceed without copying any document templates, or Cancel to stop the sandbox creation process.
- The creation process generally takes less than one (1) hour, but may take up to eight (8) hours. When complete, Vault sends you a notification.
Vault Name
When creating a new sandbox, the Name value must follow these rules:
- Must be unique across all sandbox Vaults for the current Vault and all Vaults in the domain; note that you may not be able to view all Vaults in the domain.
- Special characters do not make the name unique, for example, UAT:Sandbox and UAT-Sandbox won’t count as unique names
- Names are not case sensitive, for example, UAT_Sandbox and uat_sandbox won’t count as unique names
Add Current User as Vault Owner
The Vault Owner: Current User setting adds the Vault Admin creating the sandbox as a Vault Owner in the sandbox Vault, using Cross-Domain User functionality. If you do not enable this setting, the Domain Admin users in the sandbox domain will become Vault Owners in the sandbox Vault.
Managing Sandbox Allowances
Manage sandbox allowances across all your sandboxes, including those created from another sandbox.
The Available Sandbox Vaults section lists the following sandbox limits and allowances:
- Size: The sandbox size available.
- Available: The total number of sandboxes available for creation or for granting to another sandbox allowance.
- Allowed: The total number of sandbox entitlements granted to the current Vault.
- Temporary: If enabled, any temporary sandbox allowances.
The Active Sandbox Vaults section provides sandbox details for all current sandboxes of which the current Vault is a direct or indirect parent, including those created from within a source other than the current sandbox.
How to Set Sandbox Allowances
You can only manage sandboxes created from the current (logged-in) Vault. Sandboxes cloned from other sandboxes are available for login and viewing only. To set allowances for a sandbox:
- In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
- Under Active Sandbox Vaults, find the Vault you want to modify the allowances for. From the Actions menu on the Name field, select Set Allowance.
- Select the action to take, either Grant or Revoke.
- Select the allowance size from the drop-down and enter the number of allowances to grant or revoke. The number of available allowances is shown below the input field.
- Optional: When granting allowances, check Use Temporary Allowance to create allowances out of your pool if temporary allowances are enabled in your Vault.
How to Change Sandbox Size
A Vault Admin can convert a sandbox from one size to another if there are sufficient allowances and the current sandbox meets the data and user limits of the requested size.
To change the size of a sandbox:
- In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
- Under Active Sandbox Vaults, find the Vault you want to change the size for. From the Actions menu on the Name field, select Change Size.
- Select the Requested Size. The Available Sandbox Vaults section shows the number of sandboxes available by size. If a requested size has no sandboxes available, you are unable to save your selection.
- Click Save. Vault immediately changes the size of the sandbox and enforces the limits associated with the new size. This change does not affect existing data and configuration.
To change the sizes of multiple sandboxes:
- In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
- From the Actions menu for Active Sandbox Vaults, select Change Sandbox Sizes.
- Select the Requested Size for each sandbox. The Available Sandbox Vaults section shows the number of sandboxes available by size. If a requested size has no sandboxes available, you are unable to save your selection.
- Click Save. Vault immediately changes the size of the sandbox and enforces the limits associated with the new size. This change does not affect existing data and configuration.
How Configuration Copying Works
When creating or refreshing a sandbox, Vault copies (clones) the configuration from your production Vault.
The outline of components below is meant to guide your organization’s sandboxing or go-live strategy, however it is not exhaustive. We always recommend consulting your Vault’s configuration and comparison reports to ensure all Vault functionality appears as expected in the target Vault.
Included Components
Note: As described here, it is possible for an included component to be inactivated once cloned, or have other aspects of its configuration function differently than it does in the source Vault. Your organization’s implementation strategy should include steps to ensure these items are addressed.
- Reports and Flash Reports are included. However, during copying (cloning), flash reports are converted to normal reports and must be rescheduled. During a refresh, Vault deactivates a flash report’s scheduled job, which you can reactivate in Admin > Operations > Job Definitions.
- Jobs are included with their Status set to inactive. This is to prevent any jobs from running before an Admin adds users and content.
- Custom views
- Document Templates are included. However, Vault converts Controlled Document Templates to Basic Document Templates, as controlled templates rely upon documents in the Vault Library, which are excluded. See details on converting a document template from basic to controlled once the controlled template’s document is in your Vault Library.
- Overlays
- Signature pages
- Formatted Outputs
- Custom Sharing Rules
- Groups are included, however its user membership is not. Auto Managed Groups are excluded.
- Vault Connections are included, however you will need to re-establish the connection.
Excluded Components
Vault excludes the following components when creating or refreshing a sandbox:
- Documents
- Object records for certain objects. This list varies by application and is subject to change without notice. You can find the list for your application in the Data Usage Information section of the Admin > Settings > General Settings page.
- Users and Auto Managed Groups, which rely upon User and User Role Setup records.
- Domain-level settings, such as SSO and security policies
- Annotation Tags
- User-specific Security Overrides are excluded. We recommend configuring security overrides using groups instead of individual users.
- Submission data in RIM Submissions Archive Vaults. The final dossier must be imported separately.
You can recreate most of the excluded items in the new Vault using Configuration Migration Packages and Vault Loader.
Currently Processing Error
In some cases, attempting to create or refresh a sandbox will result in the following error:
Vault is currently processing a separate action. Please try sandboxing again later.
This occurs when the Vault is in the process of enabling or upgrading a feature. During this process, we block any configuration cloning actions in order to prevent invalid configurations in the sandbox. We suggest waiting 20 to 60 minutes and trying again. If this error persists for more than 90 minutes, contact Veeva Support.
Refreshing Sandbox Vaults
Refreshing an existing sandbox Vault overwrites the sandbox configuration with the latest configuration from the source Vault. Refreshing a sandbox does not delete or overwrite its existing snapshots. See the above section for a list of items that Vault excludes during sandbox creation and refresh.
How often a sandbox can be refreshed depends on its size:
- Small: Up to five (5) times in a 24-hour period
- Medium: Once in a 24-hour period
- Large: Once in a 24-hour period
- Very Large: Once in a 24-hour period
- Extra Large: Once in a 24-hour period
- Full: Once in a 24-hour period
A sandbox can be refreshed from any snapshot built from:
- The sandbox being refreshed
- The parent Vault of the sandbox being refreshed
- The source Vault of the snapshot used to build the sandbox being refreshed
How to Refresh Vaults
To refresh a Vault:
- In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
- Under Active Sandbox Vaults, find the Vault you need to refresh. Click the Actions menu on the Name field and choose Refresh from Vault or Refresh from Snapshot. See details about sandbox snapshots.
- If you select Refresh from Vault, a message appears to warn you that refreshing deletes the Vault’s current configuration. If you select Refresh from Snapshot, choose a snapshot in the dialog from which to refresh your Vault and click Continue. A message appears to warn you that refreshing deletes the Vault’s current configuration. Click Continue to start the refresh process. The refresh process generally takes less than one (1) hour but may take up to eight (8) hours. When complete, Vault sends you a notification.
Note: In certain circumstances, you may exceed your allowance on the number of sandboxes for the current Vault. If this happens, your allowance will show a negative number and you will not be able to refresh any sandbox Vault. You must delete one or more sandbox Vaults to enable the refresh option.
Overwriting Configuration
There is no way to retrieve configurations, data, or documents from a previous version of the sandbox Vault after refreshing, however, you can create a Test Data package to export configurations and object data before refreshing your sandbox and import the package after refreshing.
As with creating new sandboxes, Vault does not include users from the production Vault when refreshing. However, Vault does preserve Vault membership from the previous sandbox configuration, so you do not need to re-add the users who previously had access.
Refreshing removes all files from the file staging server.
Sandbox Users
Sandbox users with assigned security profiles that exist in the production Vault retain their access rights after a refresh.
Users with assigned security profiles that do not exist in the production Vault do not get added automatically after a refresh. Vault owners must add those users manually, and select a new security profile at that time.
When refreshing a sandbox, only domain-level User fields retain their values. Administers should review and set User record fields on the refreshed sandbox as needed.
Deleting Sandbox Vaults
Existing sandbox Vaults may be deleted unless the sandbox is a source Vault for a different sandbox. In most cases, you would refresh a sandbox Vault, rather than deleting. Deleting is only required if you need a sandbox with a different name or need to remove all existing sandbox users. Deleting a sandbox Vault also deletes any snapshots created from this Vault. Deleted sandboxes cannot be recovered.
How often a sandbox can be deleted depends on its size:
- Small: Unlimited
- Medium: Once in a 24-hour period
- Large: Once in a 24-hour period
- Very Large: Once in a 24-hour period
- Extra Large: Once in a 24-hour period
- Full: Once in a 30-day period
How to Delete Vaults
To delete a Vault:
- In your production Vault, navigate to Admin > Deployment > Sandbox Vaults.
- Under Active Sandbox Vaults, find the Vault you need to delete. From the Actions menu of the Name field, choose Delete.
- A message appears to warn you that you cannot recover a deleted Vault. Click Continue to start the deletion process. The delete process may take several minutes. When complete, Vault sends you a notification.
Note: If Retain Snapshots when Deleting a Sandbox is enabled (Admin > Settings > Sandbox), selecting the Delete action opens a dialog that asks you to run the Change Source Sandbox action to retain any snapshots of the sandbox. Click Skip and Delete to delete the sandbox along with its associated snapshots or click Go to Snapshots to perform the Change Source Sandbox action. After changing the source sandbox, return to this page to continue deleting the sandbox Vault.
Linked Vault File Staging Servers
Some Vaults are set up with “linked” File Staging Servers, meaning that the sandbox shares a File Staging Server with another Vault. File Staging Servers are only linked by customer request through Veeva Support. If your sandbox has a linked File Staging Server, you will need to contact Veeva Support to unlink the sandbox from the shared File Staging Server before you can delete the Vault.
Granting Access to Sandbox Vaults
When creating a new sandbox, you have the option to add the current user with the Vault Owner profile. See Add Current User as Vault Owner. These Vault Owner users can configure access for other users. Users with the appropriate access can also remove the automatically added Vault Owners if needed.
User access works as it does in production Vaults: Admins can add entirely new users, grant access to existing domain users, or add cross-domain users.
Note: Sandbox Vaults may appear unavailable or show an error immediately after creation or refresh. This indicates that the Vault is still indexing, meaning that sessions and cookies are cleared. Wait five (5) minutes and refresh your browser.
Logging into Sandbox Vaults
Users with access to a Sandbox Vault can log into the sandbox using the same Login page as the production Vault. Production Vault Owners, or Admins with appropriate permissions, can also log into the sandbox from the Admin area:
- In the production Vault, navigate to Admin > Deployment > Sandbox Vaults.
- Under Active Sandbox Vaults, use the gear icon on the Name field to open the action menu and choose Log in for the appropriate sandbox.
- Enter valid sandbox user credentials on the Login page.
Sandbox Release Versions
In general, sandboxes have the same release version as the production Vault. However, some organizations with General Release Vaults have options for creating a sandbox using a Limited Release version. Each Limited Release version sandbox Vault counts toward the total configuration sandboxes allowed per production Vault.
This feature allows customers the ability to manage their own Limited Release sandbox to proactively assess new functionality ahead of each General Release. For example, an Admin in a 21R1 General Release Vault could create a sandbox that uses the 21R1.2 Limited Release version.
Related Permissions
By default, administration options for sandbox Vaults are only available to Vault Owners. To grant access to other users, use a custom security profile with the following permissions:
Type | Permission Label | Controls |
Security Profile | Admin: Sandbox: Read | Ability to view sandboxes in the Admin > Deployment > Sandbox Vaults page |
Security Profile | Admin: Sandbox: Create | Ability to create sandboxes in the Admin > Deployment > Sandbox Vaults page |
Security Profile | Admin: Sandbox: Edit | Ability to edit and refresh sandboxes in the Admin > Deployment > Sandbox Vaults page |
Security Profile | Admin: Sandbox: Delete | Ability to delete and refresh sandboxes in the Admin > Deployment > Sandbox Vaults page |