You can use the Convert Security Policy action to change a user’s security policy assignment. This action allows flexibility to change a user’s security policy without the need to create a new user account. You can change a security policy with a Password or Single-Sign On (SSO) authentication type and Cross-Domain security policies.
The following security policy conversions are allowed:
- Password/SSO to Cross-Domain
- Password/SSO to VeevaID
- Cross-Domain to Password/SSO
If the user is logged into Vault when the security policy change occurs, the new security policy applies the next time they log in. If the user is in a delegated session, the new security policy applies when the delegate session ends.
Converting a Password/SSO security policy to Cross-Domain or VeevaID fails if the user exists as an active or inactive Cross-Domain user in other Vault domains. This behavior prevents executing security policy conversions that may impact users on other Vault domains than the initiating Vault domain.
Converting a User’s Security Policy
To begin changing a user’s security policy, navigate to Admin > Users & Groups > [User] > Actions > Convert Security Policy.
How to Convert Password/SSO to Cross-Domain
To convert a security policy with a Password or Single-Sign On authentication type to Cross-Domain:
- In the Convert Security Policy dialog, select Cross-Domain Security Policy from the New Security Policy drop-down.
- Enter the user’s New User Name. The New User Name must match the user’s home domain User Name. The email address must also match the user’s home domain email address. In addition, the User Name cannot be a duplicate of another user on the home domain.
- Click Save.
- Click Continue in the Confirm Security Policy Update dialog.
A green success banner displays stating that the security policy was updated and the user received an email notification. If the security policy conversion updates the user’s email address, they will receive a notification on their previous and new email address.
How to Convert Password/SSO to VeevaID
To convert a security policy with a Password or Single-Sign On authentication type to VeevaID:
- In the Convert Security Policy dialog, select VeevaID from the New Security Policy drop-down.
- Enter the user’s New User Name. The New User Name must match an existing, active VeevaID user name. The user’s email address must also match the VeevaID user’s email address. In addition, the user name cannot already be associated with another user.
- Click Validate. If no errors are returned, the dialog displays the VeevaID user’s First Name, Last Name, and Language for identity verification purposes.
- Click Save.
- Click Continue in the Confirm Security Policy Update dialog. You cannot undo this action.
A green success banner displays stating that the security policy was updated and the user received an email notification. If the security policy conversion updates the user’s email address, they will receive a notification on their previous and new email address.
How to Convert Cross-Domain to Password/SSO
To convert a Cross-Domain security policy to a security policy with a Password or Single-Sign On authentication type:
- In the Convert Security Policy dialog, select the Password/SSO security policy from the New Security Policy drop-down.
- Enter the user’s New User Name. You are not required to enter the domain portion of the email address as the security policy will exist on the current Vault domain.
- Click Save.
- Click Continue in the Confirm Security Policy Update dialog.
A green success banner displays stating that the security policy was updated and the user received an email notification. If the security policy’s authentication type is set to Password, a welcome email is not sent to the user. You can send the welcome email manually as needed.
Limits
The following limits apply when converting a user’s security policy assignment:
- You cannot convert a VeevaID security policy to any other security policy.
- You cannot convert a Cross-Domain security policy to VeevaID. However, you can convert a Cross-Domain security policy to a Password or Single-Sign On security policy, and then convert the user to the VeevaID security policy.
- You cannot assign a VeevaID security policy to a Domain Admin.
- You cannot perform the Convert Security Policy action in bulk.
Related Permissions
The following permissions control your ability to use the Convert Security Policy action:
| Type | Permission Label | Controls |
|---|---|---|
| Security Profile | Objects: User: Edit | Controls the ability to edit User object records |
| Security Profile | Objects: User: Object Action Permissions: Convert Security Policy: View, Execute | Controls the ability to view and use the Convert Security Policy action |
| Security Profile | Admin: Security: Users: Manage User Object | Controls ability to create, modify, and add User object records |
| Security Profile | Admin: Security: Users: Add Cross-Domain Users | Controls ability to convert a security policy to Cross-Domain |