# Configuring External Collaboration Management (QMS) QualityOne Vaults allow users to efficiently manage temporary, short-term access to your Vault for external collaborators by eliminating manual Vault account creation, activation, and inactivation. Setting up external collaborators with temporary access allows external users to respond to your organization's collaboration requests using an external license from a dedicated pool of external licenses. You can give users the ability to request responses from recognized external contacts, collaborate with those individuals in Vault, and finish with minimal or no need to manage user account provisioning for those external collaborators. When users request collaboration from external contacts on [supported object records][14], Vault automates the provisioning of _External Collaborator_ accounts for those contacts and invites them to collaborate by sending specialized email notifications. When external contacts respond to all requests assigned to them, Vault automatically inactivates external user accounts, freeing up external licenses for other new external contacts with collaboration requests to use.

Note: This feature enables external users to collaborate on QMS objects. If you need External Collaboration for document review and approval, see Configuring External Collaboration for Document Review & Approval for more details.

## External Collaboration Target Objects {#target-objects} You can configure supported QMS objects as [target objects][13] for External Collaboration Management. When configured, target object records display the relevant fields needed for users to assign external contacts. * **CAR** (`car__v`): This object represents corrective action requests. * **NCR** (`ncr__v`): This object represents nonconformances. * **Audit** (`audit__qdm`): This object represents audits. * **Audit Finding** (`audit_finding__v`): This object represents a finding in an audit. * **Action Item** (`action_item__qdm`): This object represents an action item associated with a quality process. * **Change Control** (`change_control__v`): This object represents change requests. * **Inspection** (`inspection__v`): This object represents inspections. ## Configuration Overview {#overview} Configuring your Vault to use External Collaboration Management involves the following steps: 1. Set up a _[Security Profile][1]_ for use with external collaborators 2. Define an [External Collaborator User Template][2] for _External Collaborators_ 3. Configure _[Object Notification Templates][3]_ 4. Configure the [_Person_, _Organization_, and target objects][4] 5. Configure the [target object lifecycle][5] 6. Configure the [target object actions][6] 7. Optionally, configure the relevant target object [workflows][7]

Note: Depending on your Vault’s creation date and which features are currently enabled and configured, some of the steps described in this article may be unavailable or already complete in your Vault.

## Setting Up User Security Profile {#setup-security-profile} When [Vault automatically][6] creates _Users_, Vault determines a specific _Security Profile_ to use for the external collaborator via an [External Collaborator User Template][2]. Ensure you set up an appropriate Security Profile to use for the _External Collaborator User Template_. Setting up an appropriate _Security Profile_ tailors the experience for the external user within your Vault to be as robust or simplified as necessary. We recommend "External Collaborator" as the label for the new _Security Profile_.

Note: The Security Profile you set up for External Collaborators cannot grant any permissions that the internal users who invite External Collaborators to collaborate on object records do not also have.

## Defining External Collaborator User Templates {#define-user-template} You can configure your Vault to automate the creation and activation of _External Collaborators_. See Defining External Collaborator User Templates for more details. ## Configuring Object Notification Templates {#message-template} There are three (3) email notification templates for each [target object][14] you can configure to which Vault automatically sends to third-party contacts based on the way the external user is collaborating with your organization. When Vault automatically creates a _User_ account, Vault sends a _Welcome_ email to that third-party contact. When an external collaborator is activated again to collaborate, Vault reactivates the _User_ account and sends a _Welcome Back_ email to that third-party contact. Vault sends a _Goodbye_ email to third-party contacts when their work is complete. Depending on your configuration, an external collaborator's work may be complete at various lifecycle states on a given request. Vault sends the _Goodbye_ email when the external collaborator's response is accepted, and no more requests are waiting for the collaborator's response in the Vault. ### Notification Templates {#notif-template} The relevant notification templates are: * External Collaboration Welcome - [target_object_label] (ext_collab_welcome_[target_object_name]__v) * External Collaboration Welcome Back - [target_object_label] (ext_collab_welcome_back_[target_object_name]__v) * External Collaboration Goodbye - [target_object_label] (ext_collab_goodbye_[target_object_name]__v) You can update the notification templates to include information about the request, the request's parent object record (for example, _SCAR_), and if configured, the parent object record's Team members from your organization. Configuring the notification templates ensures that the recipient knows what actions are required and receives any additional relevant information about collaborating with your organization. ### External Collaboration Notification Template Tokens {#template-token} You can configure additional token support using standard object notification configurations. Tokens are pieces of text that are replaced at the time the notification template is used. You can use the following tokens within the email content for document notification templates: * `firstName`: The recipient's first name. * `lastName`: The recipient's last name. * `authServiceExtUrl`: The authorized URL to login page. * `staticContentBaseUrl`: This displays images. * `userName`: The user's username. * `userEmail`: The user's email address. * `vaultName`: The name of the internal user's Vault. * `userLanguage`: This displays the recipient's language. This is part of the one-time password reset link. * `userPassword`: This displays the recipient's automated password. * `utp?url`: This is part of the one-time password reset link. You can also include the special `${creator}` and `$($creatorEmail)` tokens in these notification templates. Use of these special tokens in the object notification template allows you to add the name and email of the object record creator.

Note: External collaborators can still reset their password via the standard method.

## Configuring External Collaborator Objects {#config-objects} Configure the _Person_, _Organization_, and applicable [target objects][14] needed to configure automated Vault account creation, activation, and inactivation. ### Configuring the Person Object {#person-object} On the _Person_ object, activate the _Organization_ object reference field and add it to the _Person_ object layout. ### Configuring the Organization Object {#organization-object} We recommend you configure the _Organization_ object to simplify the management of a contact list of _Persons_. _Person_ records have a field linking them to _Organizations_, and _Organization_ records can list the _Persons_ that your organization interacts with. This allows for easier identification of contacts listed in the _External Collaborator_ field that users can choose from to assign records to collaborate on, such as _SCARs_. You can manage these contacts centrally or you can enable requestors or other internal users to manage these persons independently for the _Organizations_ they work with. To configure the _Organization_ object to display contact lists, insert a _Related Object_ section with the _Person_ object into the layout of the _Organization_ object. We recommend defining _Section Help_ for this contact list so that its purpose is clear to users. ### Configuring the Target Object {#config-target} You must make the following modifications to any [target objects][14] that you plan to use for external collaboration. #### Enabling Custom Sharing Rules {#enable-custom-sharing-rules} You must enable Custom Sharing Rules on the target object so that Vault can assign the correct application role to the external collaborator when the _Activate External Collaborator_ action runs. To do this: 1. Navigate to **Admin > Configuration > Objects > [target object] > Details**. 2. Click **Edit**. 3. In the _Options_ section under _Dynamic Access Control_, select the **Enable Custom Sharing Rules** checkbox. 4. Click **Save**. #### Configuring External Collaborator Field {#config-external-collab-field} On the target object, activate the _External Collaborator_ field. We recommend you use the _Constrain Records in Referenced Object_ field option to limit the selection of the _External Collaborator_ to only persons within a related _Organization_. For example, you can add the following VQL statement: organization__v = {{this.supplier__v}} This statement limits the selection of _External Collaborators_ to the _Organization_ referenced in the _Supplier_ field of the target object. We recommend this configuration to ensure users choose appropriate collaborators for each request. You can add the _External Collaborator_ field to the applicable target object type (for example, _SCAR_) and its corresponding layout. The constraining field should be listed before the _External Collaborator_ field on the layout so that the constraints take effect prior to choosing an _External Collaborator_. #### Configuring Organization Field {#config-supplier-field} Optionally, you can establish a default value for the organization the request is against, based on the associated parent process' object. To do this, add the default organization value to the target object record's _Organization_ field. On the target object, ensure there is at least one (1) active field that references the _Organization_ object. The following table shows the default target fields for _Organization_ for various target objects; field names and labels might be different depending on the object and your organization's configuration. | Target Object | Target Field for Organization | | ------------- | ----------------- | | Audit (`audit_qdm`) | `external_auditor_organization__v` | | Audit Finding (`audit_finding__v`) | `audited_organization__v` | | CAR (`car__v`) | `organization__v` | | Change Control (`change_control__v`) | `organization__v` | | Inspection (`inspection__v`) | `supplier_name__v` OR `supplier_manufacturing_site_name__v` | | NCR (`ncr__v`) | `organization__v` | The _Audited Organization_ (`audited_organization__v`) field on the _Audit Findings_ object inherits the _Target Organization_ (`target_organization__qdm`) field value from the parent _Audit_ record, and cannot be updated manually. ## Configuring the Target Object Lifecycle {#lifecycle} To configure your target object's lifecycle, you must first determine which lifecycle state of the target object you want to bring an external collaborator into your Vault (entry state) and the state in which their _User_ account should be removed from your Vault (exit state). The "entry" state should be the state that you want external collaborators to start giving responses and the "exit" state should be the state that you want external collaborators to stop responding, after accepting their responses. After determining your "entry" and "exit" states, configure your target object's lifecycle by adding the [application role][8] and [your object actions][6] for your two (2) states. ### External Collaborator Application Role {#external-collaborator-role} Add the _External Collaborator_ application role to the target object's lifecycle. As this is the role that external collaborators will be added to or removed from using the configuration from _[External Collaborator User Templates][2]_, ensure that the role has appropriate permissions for each lifecycle state utilized with the target object's object type.

Note: To restrict an external collaborator’s ability to edit a target object’s fields during the collaboration process, you must configure Atomic Security for the External Collaborator application role’s access to the desired fields.

## Configuring the Target Object Actions {#target-object-action} The target object's lifecycle contains _Create & Activate External Collaborator_ and _Inactivate External Collaborator_ actions to configure for your "entry" and "exit" lifecycle states. The _Reassign External Collaborator_ action is also available to configure on states in which an external collaborator is active and may need to be reassigned. Depending on your business needs, you can: * Add these actions as entry actions on any target object's lifecycle state: * [Create & Activate External Collaborator][10] * [Inactivate External Collaborator][11] * Add the [Create & Activate External Collaborator][12] action as a user action on any target object's lifecycle state. * Add the [_Reassign External Collaborator_][16] action as a user action on any state in the target object’s lifecycle.

Note: In Vaults with Object Application Security configured, Vault automatically creates Record Matching Rule records when users activate External Collaborators on an Inspection record and deletes Record Matching Rule records when users inactivate External Collaborators. This allows Vault to grant the correct application role on the Inspection Sample Test Result raw object, which cannot use Dynamic Access Control for record-level access control. See Setting Up Inspections for more information.

### Configuring the Create & Activate External Collaborator Entry Action {#create-activate-entry-action} Add the _Create & Activate External Collaborator_ entry action to an ["entry" lifecycle state][5]. You must select an _[External Collaborator User Template][2]_ for Vault to use during automated _User_ account creation. This entry action attempts to activate a user account for the _Person_ record referenced in the _External Collaborator_ field. If Vault determines that a _User_ account already exists with the exact details as the _Person_, Vault actions the following: * Assigns that user account to the _Person_. * Activates that _User_ account. * Sends the named _External Collaborator_ a _[Welcome Back][3]_ notification. If Vault determines that there is no existing _User_ account, Vault actions the following: * Creates a new _User_ account. * Activates the _User_ account. * Sends the named _External Collaborator_ a _[Welcome][3]_ notification. _User_ records created by this action have their _Managed by QMS Automation_ field set to _True_. Setting this field to _False_ manually stops the access management automation for the user: access is managed manually by you. ### Configuring the Inactivate External Collaborator Entry Action {#inactivate-entry-action} Add the _Inactivate External Collaborator_ entry action to an ["exit" lifecycle state][5]. This entry action allows Vault to find the _Person_ in the _External Collaborator_ field, identify the _User_ account associated with the _Person_, and to check if the _User_ account can be inactivated. Vault checks for any requests assigned to the _User_ account that was granted by the _Create & Activate External Collaborator_ actions and have not yet had the _Inactivate External Collaborator_ entry action triggered. If Vault determines that the _User_ account has completed all requests assigned for an external response, Vault actions the following: * Inactivates the _User_ account. * Sends the named _External Collaborator_ a _[Goodbye][3]_ notification. Vault does not remove inactivated users from _Sharing Settings_ on individual records by default. To limit external collaborators' access to certain records in the event that their _User_ account is reactivated, you must add an _Update Sharing Settings_ step in your target object's workflow. You can also mirror the same effect that the _Inactivate External Collaborator_ action triggers by manually [removing assignments][9] from the _External Collaborator_ field or deleting a target record with an active assignment. Removing or changing the _External Collaborator_ value on the target object's record removes the _User_ from _Sharing Settings_. ### Configuring the Create & Activate External Collaborator User Action {#create-activate-user-action} Add the _Create & Activate External Collaborator_ user action to lifecycle states that users may need to replace an inactivated external collaborator, such as when an external user is removed from a target object's _External Collaborator_ field. We recommend you restrict access to this action using Atomic Security. Optionally, you can also choose to prevent changes to the _External Collaborator_ field in an "exit" lifecycle state using field-level Atomic Security, or use workflow steps or lifecycle action configurations to move the target object into a "pre-response" state to "restart" the collaboration process again. ### Configuring the Reassign External Collaborator User Action {#reassign} You can configure the _Reassign External Collaborator_ user action to let users reassign an object record, including any tasks, to a different external collaborator. This is helpful in scenarios where the original external collaborator is no longer available, but users still need to collaborate on a record with a contact from an external organization. Add the _Reassign External Collaborator_ user action to any [supported object][14] lifecycle state in which an active external collaborator may need to be reassigned. When the _Reassign External Collaborator_ action runs: * If the new external collaborator has an inactive user account, Vault activates the account. * If the new external collaborator does not have a user account, Vault creates and activates an account for them. * Once activated, the external collaborator receives a _Welcome_ or _Welcome Back_ email and a task notification associated with the relevant record. * Vault evaluates if the previous external collaborator’s user account should be inactivated following the same actions taken by the [_Inactivate External Collaborator_ entry action][11].

Note: The action fails if the Person records associated with the previous and new external collaborators are deactivated or deleted while reassignment is in progress.

### Removing Assignments from the External Collaborator Field {#remove-assignments} Whenever a _Person_ assignment in the _External Collaborator_ field of a target object's record is removed or changed, Vault evaluates if the _Person's_ associated _User_ account should be inactivated following the same actions taken in the [_Inactivate External Collaborator_ entry action][11], with the following added action: the _Person's_ associated _User_ account is removed from the _External Collaborator_ application role. ## Configuring the Target Object Workflow {#workflow} Collaboration with external users may result in cases where an internal user needs to respond on behalf of the external collaborator, or abandon a collaboration on a specific request or any requests with specific partners. Ensure you account for the internal users' ability to take over assignments or bypass collaboration when necessary when configuring your target object's lifecycles and workflows. ## About Assignment Tracking {#about-assignment-tracking} External Collaboration Management tracks and stores data when [Vault activates or inactivates][6] a _User_ for a _Person_ referenced on an _External Collaborator_ field. Every time a _User_ is active, Vault creates a new record that references the matching target object's record and sets the new record's _Assignment Activity_ field as "Active"; for example, the _CAR_ target object's matching _External Collaborator CAR Assignment_ object. Every time a _User_ is inactive, Vault updates the relevant existing object record's _Assignment Activity_ field to "Inactive". Tracking the assignments of a _Person_ via the _Managed by QMS Automation_ field allows Vault to verify whether an _External Collaborator_ has any active assignments on other object records or documents before automatically [inactivating][11] the _User_ account of the _Person_. If the _Managed by QMS Automation_ field is set to "False" on the _User_ record, Vault stops automatically tracking and managing assignments. ## Related Permissions {#permissions} You can complete all the steps in this article with the standard _System Administrator_ or _Vault Owner_ security profile. If your Vault uses custom security profiles, your profile must grant the following permissions:

Type	Permission	Controls
Security Profile	Admin: Configuration: Object Lifecycles: Edit	Ability to modify object lifecycles.
Security Profile	Admin: Configuration: Object Workflows: Edit	Ability to modify object workflows.
Security Profile	Admin: Configuration: Objects: Create, Edit	Ability to create and modify Vault objects.
Security Profile	Admin: Security: Permission Sets: Create, Edit, Delete	Ability to make changes to permission sets for users.
Security Profile	Objects: Audit (all object types): Create, Edit, Delete	Ability to make changes to Audit.
Security Profile	Objects: CAR (all object types): Create, Edit, Delete	Ability to make changes to CAR.
Security Profile	Objects: Change Control (all object types): Create, Edit, Delete	Ability to make changes to Change Control.
Security Profile	Objects: Inspection (all object types): Create, Edit, Delete	Ability to make changes to Inspection.
Security Profile	Objects: NCR (all object types): Create, Edit, Delete	Ability to make changes to NCR.
Security Profile	Objects: Audit Finding (all object types): Create, Edit, Delete	Ability to make changes to Audit Finding.
Security Profile	Objects: Action Item (all object types): Create, Edit, Delete	Ability to make changes to Action Item.

[1]: #setup-security-profile [2]: #define-user-template [3]: #message-template [4]: #config-objects [5]: #lifecycle [6]: #target-object-action [7]: #workflow [8]: #external-collaborator-role [9]: #remove-assignments [10]: #create-activate-entry-action [11]: #inactivate-entry-action [12]: #create-activate-user-action [13]: #config-target [14]: #target-objects [15]: #ecm-objects [16]: #reassign