**Source URL:** https://qualityone.veevavault.help/en/lr/627671/index.md

# Defining Object Application Security (QMS)

[QualityOne Vaults](/en/lr/78610/) allow you to define application security to automatically grant users specific access based on their _Application Role_ for a particular secured object. Secured objects are [_Raw_ object data stores](/en/lr/62987/), which supports the growing volume of object records while maintaining Vault performance. You must define record-level security for the secured object as this data store option cannot be defined by [DAC](/en/lr/33946/). To do so, you must first define users, user groups, organizations or facilities, and application roles to determine the level of access an internal or external user has for the following secured object:

* **Inspection Sample Test Result**: Select **Inspection Sample Test Result** in the _Secured Object_ field on _Object Sharing Rule_, _Role Matching Criteria_, and _Record Matching Rule_ records to configure Application Security for the _Inspection Sample Test Result_ object.

## About the Application Security Process {#about}

After you define the applicable _User_, _User Group_, _Organization_ or _Facility_, and _Application Role_ records, Vault does the following when an active _User_ is detected:

1. If the _User_ has applicable [DAC](/en/lr/33946/) sharing rules configured for the secured object, the _User_ gains access to the secured object records allowed by these sharing rules.
2. Vault checks all _Object Sharing Rule_ records for the secured object and the _User_. If the _User_ belongs to an existing _User Group_, Vault assigns the appropriate _Application Roles_ to the _User_ for the secured object.
3. Vault checks all _Record Matching Rule_ records for the _User_ and all the _Role Matching Criteria_ records for the secured object. If the _User_ has existing _Record Matching Rule_ records with defined _Application Roles_ and _Facility_ or _Organization_ configuration, Vault matches the _Record Matching Rule_ records to the _Role Matching Criteria_ record defined for the same _Application Roles_ and _Facility_ or _Organization_ configuration for the secured object. Vault uses this match to assign the appropriate _Application Roles_ to the _User_ for the secured object. If there are no matches, Vault does not match based on the defined _Record Matching Rule_ record.
4. If the _User_ has no _Application Roles_ assigned and no applicable sharing rules for the secured object, Vault does not allow the _User_ to gain access to the secured object and its records.

## Overview {#overview}

For users to view or interact with a secured object for the applicable lifecycle, create the appropriate records for the following:

* [Object Sharing Rule component][3]
* [Role Matching Criteria component][4]
* [_Record Matching Rule_ object][5]

### Object Sharing Rule Component {#osr-comp}

This component contains the sharing rules for user groups. In this component, Admins configure the _Application Role_ that Vault assigns to all users belonging to a _User Group_ for a _Secured Object_. Navigate to **Admin > Configuration > Application Security Setup > Object Sharing Rules**. Create an _Object Sharing Rule_ by adding an _Application Role_ to assign to all users belonging to a _User Group_ for a secured object. 

You can use any application role available in the secured object's lifecycle. If an existing _Object Sharing Rule_ record exists, you cannot create duplicate records with the same combination of _Application Role_, _Secured Object_, and _User Group_ field values. Depending on configuration, you may create up to ten (10) _Object Sharing Rule_ records for each secured object. For additional help on this configuration, contact your Veeva Representative for more details.

### Role Matching Criteria Component {#rmc-comp}

This component defines the access criteria for the applicable Application Role. Navigate to **Admin > Configuration > Application Security Setup > Role Matching Criteria**. Create a _Role Matching Criteria_ by assigning the matching field of an object to an _Application Role_.

Depending on your use case, you can enter a field name value into the _Record Matching Field_ and _Secured Object Field_ fields on _Role Matching Criteria_ records that references either the _Organization_ or _Facility_ object. These must be fields on the _Inspection Sample Test Result_ object. To reference the _Facility_ object field, use the following field:

* `facility__v`

To reference the _Organization_ object field, use one (1) of the following fields:

* `supplier_name__v`
* `supplier_manufacturing_site_name__v`

Field values entered into the _Record Matching Rule Field_ on _Role Matching Criteria_ records must be in the following format: `Field.[matching_field_name__v]`. For example, for the _Facility_ field, enter `Field.facility__v` into the _Record Matching Field_ and _Secured Object Field_ fields.

If an existing _Role Matching Criteria_ record exists, you cannot create duplicate records with the same combination of _Application Role_, _Record Matching Rule Object_, _Record Matching Rule Field_, _Secured Object_, and _Secured Object Field_ field values. Depending on configuration, you may create up to ten (10) _Role Matching Criteria_ records for each secured object. For additional help on this configuration, contact your Veeva Representative for more details.

### Record Matching Rule Object {#rmr-obj}

This object contains the sharing rules for individual users belonging to either an organization or facility. In this object, Admins configure the _Application Role_ that Vault assigns to an individual user for a secured object. Navigate to **Business Admin > Objects > Record Matching Rule**. Create a _Record Matching Rule_ by adding an _Application Role_ to assign to a _User_ belonging to either an external _Organization_ or an internal _Facility_. 

Users can belong to up to 15 _Facilities_, and users at a _Facility_ can have more than one (1) _Application Role_. For additional help on this configuration, contact your Veeva Representative for more details. You can use any application role available in the secured object's lifecycle. _Record Matching Rule_ records are also automatically created when _External Collaborators_ are added or activated and deleted when inactivated through [External Collaboration Management object actions](/en/lr/76844/#target-object-action). _Record Matching Rules_ are subject to the _Role Matching Criteria_.

[1]: #about
[2]: #overview
[3]: #osr-comp
[4]: #rmc-comp
[5]: #rmr-obj