# Configuring Atomic Security for Content Plan Actions (RIM)

RIM Submissions Vaults include standard object actions for performing a variety of content planning tasks, including:

* Accessing and navigating the [Content Plan Hierarchy Viewer](/en/lr/59502/)
* Matching documents in the Content Plan Hierarchy Viewer, including during match document mode and via drag and drop
* Dispatching [Global Content Plans](/en/lr/77854/)
* [Comparing and synchronizing Global Content Plans](/en/lr/77853/)

While the linked pages above provide specific configuration details for these features, this page describes how Vault enforces [Atomic Security](/en/lr/47850/ ) for content planning actions generally.


## How Content Plans Use Atomic Security & Application Roles

A user's ability to perform content planning tasks is controlled by *Execute* access to an object action, within both the user's assigned permission set and the object lifecycle state(s) which use the action. 

For example, the *Add Document* action controls a user's ability to drag and drop a document for matching in the Content Plan Hierarchy Viewer. Therefore, at minimum:

* The user's assigned permission set must include *Execute* access via the *Content Plan Item* object's Object Action Permissions. 
* The relevant *Content Plan Item* object lifecycle states must be configured with *Execute* as the default Atomic Security: Actions permission.

If the default Atomic Security configuration within an object lifecycle is too permissive, actions can be further secured with an Application Role. For example, in lieu of the object lifecycle Atomic Security settings described above, the default permission for the *Add Document* action is *Hide*, and the Application Role to which users are assigned (for example, Editor) is granted *Execute* permission via Role Override.

See also [Configuring Atomic Security for Object Controls](/en/lr/47850/ ).

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Users performing a given action described in this article must always have <em>Execute</em> access within both their permission set and the desired object lifecycle state(s). Other access levels (<em>Hide</em>, <em>View</em>) are relevant only for restricting action permission.</p>
    </div>
  </div>
</div>



## Object Actions for Document Matching

When a content planning activity results in an update to matched documents, the *Content Plan Item* object lifecycle and the initiating user's assigned permission set must both have a corresponding *Execute* permission for the underlying object actions. 

For example, when Vault replaces a document during synchronization, the initiating user must have *Add Document* and *Remove Document* object action permission. Successful synchronization also relies on the same permissions in the *Content Plan Item* object lifecycle's *Locked* state.

The below *Content Plan Item* Object Actions allow users to seamlessly work with matched documents:
* Add Document
* Exclude Document
* Include Document
* Lock Version
* Remove Document

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Document matching also requires the <strong>EDL Matching &gt; Edit Document Matches</strong> permission, found under the <strong>Application</strong> tab in the permission set.</p>
    </div>
  </div>
</div>