QualityOne Vaults allow users to efficiently manage temporary, short-term access to your Vault for external collaborators by eliminating manual Vault account creation, activation, and inactivation. Setting up external collaborators with temporary access allows external users to respond to your organization’s collaboration requests using an external license from a dedicated pool of external licenses. You can give users the ability to request responses from recognized external contacts, collaborate with those individuals in Vault, and finish with minimal or no need to manage user account provisioning for those external collaborators.
When users request collaboration from external contacts on supported object records, Vault automates the provisioning of External Collaborator accounts for those contacts and invites them to collaborate by sending specialized email notifications. When external contacts respond to all requests assigned to them, Vault automatically inactivates external user accounts, freeing up external licenses for other new external contacts with collaboration requests to use.
Note: This feature enables external users to collaborate on QMS objects. If you need External Collaboration for document review and approval, see Configuring External Collaboration for Document Review & Approval for more details.
External Collaboration Management Objects
QualityOne uses the following objects and object types to support External Collaboration Management:
- Person (
person__v
): This object represents named individuals used as data references. Being a Person in Vault does not necessarily grant login access nor does it give the ability to participate in workflows. - Organization (
organization__v
): This object represents information relating to individual organizations. - Recording Matching Rule (
recording_matching_rule__v
): This object represents sharing rules for individual users with a particular application role for the secured object.
Target Objects
You can configure supported QMS objects as target objects for External Collaboration Management. When configured, target object records display the relevant fields needed for users to assign external contacts.
- CAR (
car__v
): This object represents corrective action requests. - NCR (
ncr__v
): This object represents nonconformances. - Audit (
audit__qdm
): This object represents audits. - Audit Finding (
audit_finding__v
): This object represents a finding in an audit. - Action Item (
action_item__qdm
): This object represents an action item associated with a quality process. - Change Control (
change_control__v
): This object represents change requests. - Inspection (
inspection__v
): This object represents inspections.
Configuration Overview
Configuring your Vault to use External Collaboration Management involves the following steps:
- Set up a Security Profile for use with external collaborators
- Define an External Collaborator User Template for External Collaborators
- Configure Object Notification Templates
- Configure the Person, Organization, and target objects
- Configure the target object lifecycle
- Configure the target object actions
- Optionally, configure the relevant target object workflows
Note: Depending on your Vault’s creation date and which features are currently enabled and configured, some of the steps described in this article may be unavailable or already complete in your Vault.
Setting Up User Security Profile
When Vault automatically creates Users, Vault determines a specific Security Profile to use for the external collaborator via an External Collaborator User Template. Ensure you set up an appropriate Security Profile to use for the External Collaborator User Template. Setting up an appropriate Security Profile tailors the experience for the external user within your Vault to be as robust or simplified as necessary. We recommend “External Collaborator” as the label for the new Security Profile.
Note: The Security Profile you set up for External Collaborators cannot grant any permissions that the internal users who invite External Collaborators to collaborate on object records do not also have.
Defining External Collaborator User Templates
You can configure your Vault to automate the creation and activation of External Collaborators. See Defining External Collaborator User Templates for more details.
Configuring Object Notification Templates
There are three (3) email notification templates for each target object you can configure to which Vault automatically sends to third-party contacts based on the way the external user is collaborating with your organization. When Vault automatically creates a User account, Vault sends a Welcome email to that third-party contact. When an external collaborator is activated again to collaborate, Vault reactivates the User account and sends a Welcome Back email to that third-party contact.
Vault sends a Goodbye email to third-party contacts when their work is complete. Depending on your configuration, an external collaborator’s work may be complete at various lifecycle states on a given request. Vault sends the Goodbye email when the external collaborator’s response is accepted, and no more requests are waiting for the collaborator’s response in the Vault.
Notification Templates
The relevant notification templates are:
- External Collaboration Welcome - [target_object_label] (
ext_collab_welcome_[target_object_name]__v
) - External Collaboration Welcome Back - [target_object_label] (
ext_collab_welcome_back_[target_object_name]__v
) - External Collaboration Goodbye - [target_object_label] (
ext_collab_goodbye_[target_object_name]__v
)
You can update the notification templates to include information about the request, the request’s parent object record (for example, SCAR), and if configured, the parent object record’s Team members from your organization. Configuring the notification templates ensures that the recipient knows what actions are required and receives any additional relevant information about collaborating with your organization.
External Collaboration Notification Template Tokens
You can configure additional token support using standard object notification configurations. Tokens are pieces of text that are replaced at the time the notification template is used. You can use the following tokens within the email content for document notification templates:
firstName
: The recipient’s first name.lastName
: The recipient’s last name.authServiceExtUrl
: The authorized URL to login page.staticContentBaseUrl
: This displays images.userName
: The user’s username.userEmail
: The user’s email address.vaultName
: The name of the internal user’s Vault.userLanguage
: This displays the recipient’s language. This is part of the one-time password reset link.userPassword
: This displays the recipient’s automated password.utp?url
: This is part of the one-time password reset link.
You can also include the special ${creator}
and $($creatorEmail)
tokens in these notification templates. Use of these special tokens in the object notification template allows you to add the name and email of the object record creator.
Note: External collaborators can still reset their password via the standard method.
Configuring External Collaborator Objects
Configure the Person, Organization, and applicable target objects needed to configure automated Vault account creation, activation, and inactivation.
Configuring the Person Object
On the Person object, activate the Organization object reference field and add it to the Person object layout.
Configuring the Organization Object
We recommend you configure the Organization object to simplify the management of a contact list of Persons. Person records have a field linking them to Organizations, and Organization records can list the Persons that your organization interacts with. This allows for easier identification of contacts listed in the External Collaborator field that users can choose from to assign records to collaborate on, such as SCARs. You can manage these contacts centrally or you can enable requestors or other internal users to manage these persons independently for the Organizations they work with.
To configure the Organization object to display contact lists, insert a Related Object section with the Person object into the layout of the Organization object. We recommend defining Section Help for this contact list so that its purpose is clear to users.
Configuring the Target Object
When deploying External Collaboration for a target object, you must make several modifications to the target object (for example, the CAR object for SCAR) configuration to set up the external collaboration.
Enabling Custom Sharing Rules
You must enable the Custom Sharing Rules for the Dynamic Access Control option on the target object to activate External Collaboration Management.
Configuring External Collaborator Field
On the target object, activate the External Collaborator field. We recommend you use the Constrain Records in Referenced Object field option to limit the selection of the External Collaborator to only persons within a related Organization. For example, you can add the following VQL statement:
organization__v = {{this.supplier__v}}
This statement limits the selection of External Collaborators to the Organization referenced in the Supplier field of the target object. We recommend this configuration to ensure users choose appropriate collaborators for each request.
You can add the External Collaborator field to the applicable target object type (for example, SCAR) and its corresponding layout. When configuring a constraining statement, the constraining field should be listed before the External Collaborator field so that the constraints take effect prior to choosing an External Collaborator.
Configuring Organization Field
Optionally, you can establish a default value for the organization the request is against, based on the associated parent process’ object. To do this, add the default organization value to the target object record’s Organization field.
On the target object, ensure there is at least one (1) active field that references the Organization object. The following table shows the default target fields for Organization for various target objects; field names and labels might be different depending on the object and your organization’s configuration.
Target Object | Target Field for Organization |
---|---|
Audit (audit_qdm ) |
external_auditor_organization__v |
Audit Finding (audit_finding__v ) |
audited_organization__v |
CAR (car__v ) |
organization__v |
Change Control (change_control__v ) |
organization__v |
Inspection (inspection__v ) |
supplier_name__v OR supplier_manufacturing_site_name__v |
NCR (ncr__v ) |
organization__v |
The Audited Organization (audited_organization__v
) field on the Audit Findings object inherits the Target Organization (target_organization__qdm
) field value from the parent Audit record, and cannot be updated manually.
Configuring the Target Object Lifecycle
To configure your target object’s lifecycle, you must first determine which lifecycle state of the target object you want to bring an external collaborator into your Vault (entry state) and the state in which their User account should be removed from your Vault (exit state). The “entry” state should be the state that you want external collaborators to start giving responses and the “exit” state should be the state that you want external collaborators to stop responding, after accepting their responses. After determining your “entry” and “exit” states, configure your target object’s lifecycle by adding the application role and your object actions for your two (2) states.
External Collaborator Application Role
Add the External Collaborator application role to the target object’s lifecycle. As this is the role that external collaborators will be added to or removed from using the configuration from External Collaborator User Templates, ensure that the role has appropriate permissions for each lifecycle state utilized with the target object’s object type.
Note: To restrict an external collaborator’s ability to edit a target object’s fields during the collaboration process, you must configure Atomic Security for the External Collaborator application role’s access to the desired fields.
Configuring the Target Object Actions
The target object’s lifecycle contains Create & Activate External Collaborator and Inactivate External Collaborator actions to configure for your “entry” and “exit” lifecycle states. You can also mirror the same effect that the Inactivate External Collaborator action triggers by manually removing assignments from the External Collaborator field or deleting a target record with an active assignment.
Depending on your business needs, you can:
- Add these actions as entry actions on any target object’s lifecycle state:
- Add the Create & Activate External Collaborator action as a user action on any target object’s lifecycle state.
Note: For Inspection objects, Vault automatically creates Record Matching Rule records when External Collaborators are created or activated and deletes Record Matching Rule records when External Collaborators are inactivated. This allows Vault to track external users and grant the proper application role for secured objects.
Configuring the Create & Activate External Collaborator Entry Action
Add the Create & Activate External Collaborator entry action to an “entry” lifecycle state. You must select an External Collaborator User Template for Vault to use during automated User account creation. This entry action attempts to activate a user account for the Person record referenced in the External Collaborator field.
If Vault determines that a User account already exists with the exact details as the Person, Vault actions the following:
- Assigns that user account to the Person.
- Activates that User account.
- Sends the named External Collaborator a Welcome Back notification.
If Vault determines that there is no existing User account, Vault actions the following:
- Creates a new User account.
- Activates the User account.
- Sends the named External Collaborator a Welcome notification.
User records created by this action have their Managed by QMS Automation field set to True. Setting this field to False manually stops the access management automation for the user: access is managed manually by you.
Configuring the Inactivate External Collaborator Entry Action
Add the Inactivate External Collaborator entry action to an “exit” lifecycle state. This entry action allows Vault to find the Person in the External Collaborator field, identify the User account associated with the Person, and to check if the User account can be inactivated. Vault checks for any requests assigned to the User account that was granted by the Create & Activate External Collaborator actions and have not yet had the Inactivate External Collaborator entry action triggered.
If Vault determines that the User account has completed all requests assigned for an external response, Vault actions the following:
- Inactivates the User account.
- Sends the named External Collaborator a Goodbye notification.
Vault does not remove inactivated users from Sharing Settings on individual records by default. To limit external collaborators’ access to certain records in the event that their User account is reactivated, you must add an Update Sharing Settings step in your target object’s workflow. Optionally, removing or changing the External Collaborator value on the target object’s record removes the User from Sharing Settings.
Configuring the Create & Activate External Collaborator User Action
Add the Create & Activate External Collaborator user action to lifecycle states that users may need to replace an inactivated external collaborator, such as when an external user is removed from a target object’s External Collaborator field. We recommend you restrict access to this action using Atomic Security.
Optionally, you can also choose to prevent changes to the External Collaborator field in an “exit” lifecycle state using field-level Atomic Security, or use workflow steps or lifecycle action configurations to move the target object into a “pre-response” state to “restart” the collaboration process again.
Removing Assignments from the External Collaborator Field
Whenever a Person assignment in the External Collaborator field of a target object’s record is removed or changed, Vault evaluates if the Person’s associated User account should be inactivated following the same actions taken in the Inactivate External Collaborator entry action, with the following added action: the Person’s associated User account is removed from the External Collaborator application role.
Configuring the Target Object Workflow
Collaboration with external users may result in cases where an internal user needs to respond on behalf of the external collaborator, or abandon a collaboration on a specific request or any requests with specific partners. Ensure you account for the internal users’ ability to take over assignments or bypass collaboration when necessary when configuring your target object’s lifecycles and workflows.
About Assignment Tracking
External Collaboration Management tracks and stores data when Vault activates or inactivates a User for a Person referenced on an External Collaborator field. Every time a User is active, Vault creates a new record that references the matching target object’s record and sets the new record’s Assignment Activity field as “Active”; for example, the CAR target object’s matching External Collaborator CAR Assignment object.
Every time a User is inactive, Vault updates the relevant existing object record’s Assignment Activity field to “Inactive”. Tracking the assignments of a Person via the Managed by QMS Automation field allows Vault to verify whether an External Collaborator has any outstanding tasks left before automatically inactivating the User account of the Person. If the Managed by QMS Automation field is set to “False” on the User record, Vault stops automatically tracking and managing assignments.
Related Permissions
You can complete all the steps in this article with the standard System Administrator or Vault Owner security profile. If your Vault uses custom security profiles, your profile must grant the following permissions:
Type | Permission | Controls |
---|---|---|
Security Profile | Admin: Configuration: Object Lifecycles: Edit | Ability to modify object lifecycles. |
Security Profile | Admin: Configuration: Object Workflows: Edit | Ability to modify object workflows. |
Security Profile | Admin: Configuration: Objects: Create, Edit | Ability to create and modify Vault objects. |
Security Profile | Admin: Security: Permission Sets: Create, Edit, Delete | Ability to make changes to permission sets for users. |
Security Profile | Objects: Audit (all object types): Create, Edit, Delete | Ability to make changes to Audit. |
Security Profile | Objects: CAR (all object types): Create, Edit, Delete | Ability to make changes to CAR. |
Security Profile | Objects: Change Control (all object types): Create, Edit, Delete | Ability to make changes to Change Control. |
Security Profile | Objects: Inspection (all object types): Create, Edit, Delete | Ability to make changes to Inspection. |
Security Profile | Objects: NCR (all object types): Create, Edit, Delete | Ability to make changes to NCR. |
Security Profile | Objects: Audit Finding (all object types): Create, Edit, Delete | Ability to make changes to Audit Finding. |
Security Profile | Objects: Action Item (all object types): Create, Edit, Delete | Ability to make changes to Action Item. |