QualityOne Vaults allow you to define application security to automatically grant users specific access based on their Application Role for a particular secured object. Secured objects are High Volume object (HVO) data stores, which supports the growing volume of object records while maintaining Vault performance. You must define record-level security for the secured object as this data store option cannot be defined by DAC. To do so, you must first define users, user groups, organizations or facilities, and application roles to determine the level of access an internal or external user has for the following secured object:

  • Purchase Order Line Item: The default value for the Secured Object field on the Object Sharing Rule, Role Matching Criteria, and Record Matching Rule component and object is “purchase_order_line_item__v”.

About the Application Security Process

After you define the applicable User, User Group, Organization or Facility, and Application Role records, Vault does the following when an active User is detected:

  1. If the User has applicable DAC sharing rules configured for the secured object, the User gains access to the secured object records allowed by these sharing rules.
  2. Vault checks all Object Sharing Rule records for the secured object and the User. If the User belongs to an existing User Group, Vault assigns the appropriate Application Roles to the User for the secured object.
  3. Vault checks all Record Matching Rule records for the User and all the Role Matching Criteria records for the secured object. If the User has existing Record Matching Rule records with defined Application Roles and Facility or Organization configuration, Vault matches the Record Matching Rule records to the Role Matching Criteria record defined for the same Application Roles and Facility or Organization configuration for the secured object. Vault uses this match to assign the appropriate Application Roles to the User for the secured object. If there are no matches, Vault does not match based on the defined Record Matching Rule record.
  4. If the User has no Application Roles assigned and no applicable sharing rules for the secured object, Vault does not allow the User to gain access to the secured object and its records.

Overview

For users to view or interact with a secured object for the applicable lifecycle, create the appropriate records for the following:

Object Sharing Rule Component

This component contains the sharing rules for user groups. In this component, Admins configure the Application Role that Vault assigns to all users belonging to a User Group for a Secured Object. Navigate to Admin > Configuration > Application Security Setup > Object Sharing Rules. Create an Object Sharing Rule by adding an Application Role to assign to all users belonging to a User Group for a secured object.

You can use any application role available in the secured object’s lifecycle. If an existing Object Sharing Rule record exists, you cannot create duplicate records with the same combination of Application Role, Secured Object, and User Group field values. Depending on configuration, you may create up to ten (10) Object Sharing Rule records for each secured object. For additional help on this configuration, contact your Veeva Representative for more details.

Role Matching Criteria Component

This component defines the access criteria for the applicable Application Role. Navigate to Admin > Configuration > Application Security Setup > Role Matching Criteria. Create a Role Matching Criteria by assigning the matching field of an object to an Application Role.

If an existing Role Matching Criteria record exists, you cannot create duplicate records with the same combination of Application Role, Record Matching Rule Object, Record Matching Rule Field, Secured Object, and Secured Object Field field values. Depending on configuration, you may create up to ten (10) Role Matching Criteria records for each secured object. For additional help on this configuration, contact your Veeva Representative for more details.

Record Matching Rule Object

This object contains the sharing rules for individual users belonging to either an organization or facility. In this object, Admins configure the Application Role that Vault assigns to an individual user for a secured object. Navigate to Business Admin > Objects > Record Matching Rule. Create a Record Matching Rule by adding an Application Role to assign to a User belonging to either an external Organization or an internal Facility.

Users can belong to up to 15 Facilities, and users at a Facility can have more than one (1) Application Role. For additional help on this configuration, contact your Veeva Representative for more details. You can use any application role available in the secured object’s lifecycle. Record Matching Rule records are also automatically created when External Collaborators are added or activated and deleted when inactivated through External Collaboration Management object actions. Record Matching Rules are subject to the Role Matching Criteria.