Dynamic Access Control (DAC) is an access control model for object records, which automates the assignment of users to the records’ Viewer, Editor, and Owner roles through “Matching Sharing Rules” and/or “Custom Sharing Rules.” DAC provides object record-level security.
Matching Sharing Rules are simple to set up and require less maintenance; you can use these rules to make the majority of your organization’s role assignments. Custom Sharing Rules require more maintenance but are useful for providing overrides in specific scenarios.
Your organization can enable both Matching and Custom Sharing Rules individually for specific objects. Using these features, you can provide object record-level access control for some objects, while other objects continue to use object-level access control through permission sets.
Note: When implementing any custom security or access control, Admins should perform UAT (User Acceptance Testing) before making changes on a production site. Some changes can affect application-specific functionality in ways that make Vault difficult to use.
Matching Sharing Rules
Matching Sharing Rules work like DAC for documents: Vault assigns users to roles on individual object records through membership in Auto Managed groups. In this setup, your organization controls role assignment by setting up rules and managing records in User Role Setup objects. User Role Setup records correspond to groups. A User Role Setup record includes a user, a role, and several “matching” fields, which qualify the user’s context for the role. Matching fields are fields that exist on both the User Role Setup object and on the object you’re securing, for example, Country or Product.
Learn about configuring Matching Sharing Rules.
Custom Sharing Rules
When using Custom Sharing Rules for an object, Vault manages users’ roles on specific object records by matching rule criteria to specific user assignments. For example, on Marketing Campaign records where the Agency is DKI Direct, Gladys is an Editor and Thomas is an Owner.
Learn about configuring Custom Sharing Rules.
Note: In past versions, this functionality was called Dynamic Security. In V15, we renamed the feature. Custom Sharing Rules work in conjunction with Matching Sharing Rules to provide ways of controlling access that are manageable, robust, and agile.
Secure Sharing Settings
Secure sharing settings allow you to combine profile security and Atomic Security for actions to control users’ access to sharing settings for each record, role, and lifecycle state. When enabled, you can control whether the Sharing Settings action is hidden, viewable (visible but not editable), or executable (users can add or remove direct role assignments). Vault also honors sharing settings security in the API. Note that this option is disabled by default. When disabled, any user who can access an object record can view sharing settings, and users that can update an object record can add or remove role assignments from sharing settings.
How to Enable Sharing Settings Security
- Navigate to Admin > Configuration > Objects > [Object] > Options.
- Select the Use Action security to control Sharing Settings checkbox. Note that either Enable Matching Sharing Rules or Enable Custom Sharing Rules must be selected to display the checkbox. Once enabled, Vault allows you to configure security on the Sharing Settings action.
About the Secure Sharing Settings Action
When you enable the Use Action security to control Sharing Settings checkbox, Vault automatically creates the Sharing Settings action on the applicable object. Like configuring security for any other object action, you can secure sharing settings at two (2) levels:
- Profile Security: Allows you to control access to the Sharing Settings action, with the View and Execute permissions, at the object level by the user’s security profile. Vault automatically grants the Execute permission on the object action if the permission set has the Edit privilege on the object. If the object has the Read permission, Vault automatically grants the View permission on the action. You can further configure custom permission sets after enabling security on sharing settings.
- Atomic Security: Allows you to secure the Sharing Settings action by individual lifecycle states, with the Hide, View, and Execute permissions, and the ability to override settings for specific application roles.
Known Issue
The following known issue affects configuring sharing settings security on objects with object types enabled:
When Vault creates the Sharing Settings object action, Vault assigns the action only to the base object type. Navigate to Admin > Configuration > Objects > Object Types > Actions to assign the action to all object types.
Object Record Roles
When an object uses Dynamic Access Control, Vault introduces roles on the object records. These roles control the type of access a user has on the record. If your Vault uses Matching Sharing Rules, these roles map to Application Role records with the same label.
Note: Dynamic Access Control does not override security profiles and permission sets. Users must also have a security profile that grants the necessary object permissions, for example, Objects > Marketing Campaign > Read would control whether a user could view Marketing Campaign records.
Owner
The user who creates a record (after Dynamic Access Control is enabled) automatically gets this role. With this role, you can:
- Assign additional users/groups to the Owner, Editor, or Viewer roles through manual assignment
- Remove users/groups from the Owner, Editor, or Viewer roles by editing manual assignments
- View and edit the object record details
- Select the object record in a document field or when creating a relationship between two object records
- Delete the object record
The only additional privilege Owners have over Editors is the ability to add/remove users from the Owner role.
Editor
Users must get the Editor role through a sharing rule or through manual assignment. With this role, you can:
- Assign additional users/groups to the Editor or Viewer roles through manual assignment
- Remove users/groups from the Editor or Viewer roles through manual assignment
- View and edit the object record details
- Select the object record in a document field or when creating a relationship between two object records
- Delete the object record
Viewer
Users must get the Viewer role through a sharing rule or through manual assignment. With this role, you can:
- View the object record details
- Select the object record in a document field or when creating a relationship between two object records
Custom Role
When using Matching Sharing Rules or Custom Sharing Rules, Admins can add more application roles to the object.
The available actions for custom roles are based on the permission setup for the object:
- Read: View the object record details and select the object record in a document field or when creating a relationship between two object records
- Edit: Edit the object record details
- Delete: Delete the object record
Users with a custom role cannot use manual assignment. Users with the Editor or Owner role cannot assign users to custom roles via manual assignment.
No Role
Without a role, you cannot see the object record details, including details visible on the hovercard. You also cannot select the object record from a document field or when creating a relationship between two object records. If a document field would default to an object record that you can’t access, Vault does not apply the default value. For example, Thomas does not have a role on the product Nyaxa. When he attempts to copy a Nyaxa document and include the field values from the original document, the Product field does not default to Nyaxa.
Dynamic Access Control does not prevent you from seeing documents or object records that link to the record you cannot view. For example, Gladys does not have a role on the product CholeCap, but does have View Document access on several documents for that product. When she looks at those documents, she sees that the Product field has CholeCap selected.
These settings also do not change the behavior of filters and searches in document tabs. For example, Gladys could add the Product > Generic Name filter to Library and then filter on the value chopredol, even though that value is on the CholeCap product record.
Note: Through hierarchical copy, users may copy child records on which they have no role. In this situation, Vault automatically assigns the Vault Owners group to the Owner role on the new records created through copying. The user who copied has no access to the original child record and will not have access to the new record.
Roles & Access After Enablement
Immediately after enabling Matching or Custom Sharing Rules on an object, there will be no role assignments on the object records. At this point, only users with the Vault Owner Actions > All Object Records > All Object Record Edit permission can access records in order to manually assign access. By default, only the Vault Owner security profile includes this permission. Make sure that the user enabling and configuring access control has the appropriate permissions.
Role Assignments on Object Records
There are three ways users can get access to an object record:
- Matching Sharing Rules assign an Auto Managed group (maintained via User Role Setup records) to a role on any record where the record’s matching field values align with the User Role Setup record values.
- Custom Sharing Rules define a query and assign specific users to roles on any record that meets the query criteria.
- Manual Assignment allows a user with appropriate permissions to navigate directly to the record and add specific users/groups to roles on that record only.
Manual Assignment
When you enable DAC (through “Matching Sharing Rules” or “Custom Sharing Rules”) for an object, users with the Editor or Owner role on an object record can manually share that record by adding another user to a role. Users with the Edit permission on an object record can add or remove manual assignments for any standard or custom role configured in the object lifecycle. Note that users must be assigned to the Owner role to add or remove an owner.
Users can never use manual assignment options to remove groups assigned through sharing rules.
You can manually assign users to object records in sharing settings.
DAC Configuration for the User Object
Configuring DAC on the user object allows you to control access to user records and restrict user visibility by masking identifying details. With this setup, organizations working with partner organizations in a single Vault can control how Vault displays user information to users affiliated with different organizations.
Learn more about Dynamic Access Control for the User Object.
Viewing Record Sharing Settings
If you have access to view an object record, you can navigate from that record’s details to its Sharing Settings page. On this page, you can see any role assignments that apply to the record.