Role permissions enable Admins to assign permissions to a specific user without affecting security profiles, allowing an incremental approach to access control that reduces the need for complex security profile configuration and maintenance. While security profiles form the basis of access control in Vault, role permissions can provide an added layer for specific or temporary purposes. This can be particularly useful when users play various roles over time that require access to different combinations of object or application permissions.
To use role permissions, an Admin associates permission sets with Application Role records, then joins those Application Roles with User records via the User Role join object.
Example: Simplifying a Security Profile Configuration
Suppose that, depending on training and role, the users in your organization will need varying combinations of the following permission sets:
- Full User Actions
- Deviation Owner
- Audit Owner
- Change Control Owner
- Complaint Owner
The intent of this is to distinguish between users who can participate in all processes (Full User Actions) and users who can start or create new records of their respective business flows. If you were to configure security profiles for each possible access scenario so that a user could participate in each process, but only start the processes they’re owners of, you would need 16 profiles to meet your needs: One profile providing Full User Actions, another providing Full User Actions and Deviation Owner, and so on. Each added permission set that you wish to incorporate into such a configuration dramatically increases the number and complexity of necessary security profiles.
Instead of using security profiles only, however, you can use role permissions to greatly simplify this configuration. In this example, given the same intent as above, you would create one (1) basic security profile and four (4) Application Roles:
- Security Profile: Full User
- Application Role: Deviation Owner
- Application Role: Audit Owner
- Application Role: Change Control Owner
- Application Role: Complaint Owner
You can now assign all users the basic security profile and add the appropriate User Roles to their User record as they complete training, gain new roles, or become otherwise qualified to own new processes within the organization.
Example: Temporary Access
Suppose a single user in your organization requires access to Vault Loader on a temporary basis. Rather than creating or modifying a custom security profile which includes both the user’s standard access as well as Vault Loader, you simply create an Application Role record called Vault Loader User.
You can then associate a specific permission set for Vault loader access to the new Application Role, and assign this role to the user. This method negates the need to alter security profiles.
Configuring Role Permissions
Perform the following to enable the use of role permissions in your Vault:
- Add a related object section for the User Role object to the User object detail page layout.
- Ensure that users who will be managing User Roles and Application Roles have the required permissions. Note that a user cannot assign or remove User Roles with permission sets containing more permissions than they possess themselves.
- Optional: To allow access to User object records outside of Admin > Users & Groups > Vault Users, select Display in Business Admin in the User object configuration, or add a User custom object tab.
Adding Permission Sets to Application Roles
To make an Application Role useful for role permissions, you must first associate it with a permission set.
Note: You can only apply permission sets to custom Application Roles (those with names ending in __c
). Standard roles (those typically ending in __sys
or __v
) cannot have permission sets added to them.
To add a permission set to an Application Role:
- Navigate to an Application Role object record in Business Admin > Objects > Application Roles or a custom object tab.
- Click Edit.
- Select a permission set in the Permission Set field, or click the binoculars icon to open the record search dialog.
- If you want Vault to enforce User Role associations when creating User Role Setup records for use with sharing rules, select the Yes value for Constrain User Role Setup. Use this value in conjunction with the User Role Constraints feature.
The Application Role applies its associated permission set when assigned to a User. A user can add or remove a permission set on an Application Role only if the user has at least the same permissions.
If there are any assigned User Role records for an Application Role, Vault will not allow you to edit its Permission Set or Status field values.
Assigning an Application Role to a User
To assign an Application Role to a User:
- Navigate to a User object record in Business Admin > Objects > Users or a custom object tab.
- In the User Role section, click Create.
- Select one or more Application Roles from the dialog.
- Click Save.
The permission sets associated with the added Application Role take effect immediately. Note that you can assign or unassign a role with a permission set only if you have at least the same permissions.
Vault limits the number of active User Roles on a User record to 15. If you later set a User Role’s Status value to Inactive, the user will not have access to the associated permission set.
Related Permissions
To add or remove permission sets on Application Role records, a user requires Edit permission on the Application Role object and Admin: Permission Sets: Read permission.
To add or remove User Roles on the User object, a user requires the Admin > Security > User > Manage User Object permission and Read, Create, Edit, and Delete permissions on the User Role and User objects.