# About License Types & Security Profiles In Vault, each user has an assigned license type and security profile. Each security profile has one or more permission sets. The license type is the first level of access control that Vault applies to a user. Permission sets, applied through the user's security profile, are the second level of access control. Both the license type and permission set must grant access to a user in order for that user to access the functionality. Other access control for a user is based on the user's role permissions on a specific document, document type settings , and dynamic access control settings for individual object records. Admins must have a permission set that grants the _Admin: Users: Edit_ permission to change a user's license type or security profile .
## License Types {#license-types} Vault includes _Full User_, _Read-only User_, _External User_, _Portal User_, _Site User_, and _Learner_ license types. Full User : _Full Users_ are the most common license type. Their license type does not block access to any functionality; these may be regular users or administrators. This is the only license type that allows a user to access Admin functionality. This license type also grants users access to Vault file staging. While system-owned users operate with _Full User_ licenses, they are not included in license counts. Read-only User : _Read-only Users_ have extremely limited access. They cannot access reports or dashboards (though they can receive flash report emails), edit documents, binders, or object records, initiate workflows, or access the **Admin** or **Business Admin** tab collections. They can sign Read & Understood workflow tasks, but cannot otherwise participate in workflows. With the required permissions, Read-only Users can view documents, including document field values and audit trails. They can view and download source files and renditions, but cannot download non-protected renditions without any configured security settings or protection applied. They can also review object records, but not via the **Business Admin** tab collection. They cannot view the Lifecycle Stages Chevron panel on the Doc Info page or object record detail page. In Vaults that use Document Archive, Read-only Users cannot access the **Archive** tab. External User : _External Users_ are users outside your company who have slightly limited access; these users have most functionality, but Vault prevents them from accessing reports or dashboards (though they can receive flash report emails), using bulk document action, or creating CrossLink documents. With the required permissions, they can access the **Business Admin** tab collection, but can only view object record lists, and they can manage anchors on a document. Note that External User accounts must use an email address with a different domain from the Vault's domain. This license type also grants users access to Vault file staging. Portal User : _Portal Users_ (eTMF only) have slightly limited access; they have most functionality, but cannot access Admin, use reports and dashboards, or see configured custom tabs. When creating documents or using the Study Selector, they can only see _Study_, _Study Country_, _Study Site_, and _Product_ records to which an Admin has granted them access. In order to prevent them from seeing information about other sites, the search suggestion feature is not enabled for these users. Site User : _Site Users_ (Clinical Operations only) have access to a tailored Vault homepage, and benefit from Site User privacy controls. Other Vault access is determined by the selected security profile. Note that this license type is not available in new implementations. Veeva Site Connect provides similar functionality, enabling sponsors and CROs on Clinical Operations Vaults to securely exchange documents, document requests, and data with sites on SiteVault Vaults. Learner : _Learners_ (Veeva Training only) have significantly limited access. These users can view documents and complete training assignments. ## Application Licensing {#application-license} Some Vaults use multiple applications, for example, a RIM Vault with Submissions and Registrations. In these Vaults, users have a license value for each application they can access. Application licensing lets the system track available licenses at the application level but does not control a user's access in most Vaults. A single user assigned to three applications will use three application licenses, not one. Some license values may be unavailable depending on the application.
### Creating Users with Application Licenses When creating and editing users in Vaults that use application licensing, the _License Type_ field is not visible on the object record details page but is visible in the _User_ object list view. Vault sets the _License Type_ based on the most permissive value set by the application licensing. For example, if the most permissive application license value a user has is _Read-Only_, Vault sets the _License Type_ to _Read-Only_ and applies the [limitations][2] associated with that license type.
### Medical Application Licenses | Application | Valid License Values | | --- | --- | | MedComms | Full User, External User, Read Only User | | MedInquiry | Full User, Read Only User | | Multichannel | Full User, External User, Read Only User | ### PromoMats Application Licenses | Application | Valid License Values | | --- | --- | | PromoMats | Full User, External User, Read Only User | | Multichannel | Full User, External User, Read Only User | ### Quality Application Licenses The table below lists the license values available depending on the Quality Suite application: | Application | Valid License Values | | --- | --- | | QualityDocs | Full User, External User, Read Only User | | Veeva Training | Full User, External User, Learner User | | Veeva Study Training | Full User, External User, Learner User | | Station Manager | Full User | | QMS | Full User, External User | | Vault Product Surveillance | Full User, External User | | Validation Management | Full User, External User | | Batch Release | Full User | | HACCP | Full User | ### QualityOne Application Licenses The table below lists the license values available depending on the QualityOne Suite application: | Application | Valid License Values | | --- | --- | | Document Control | Full User, External User, Read-only User | | QMS | Full User, *Lite User, External User | | HACCP | Full User, *Lite User | | HSE | Full User, *Lite User | | Training | Full User, External User, Learner User |
### RIM Application Licenses The table below lists the license values available depending on the RIM Suite application: | Application | Valid License Values | | --- | --- | | Registrations | Full User | | Submissions | Full User, External User, Read Only User | | Submissions Archive | Full User | | Submissions Publishing | Full User | ### Safety Application Licenses The table below lists the license values available depending on the Vault Safety application: | Application | Valid License Values | | --- | --- | | Safety Management | Full User | | SafetyDocs | Full User, External User, Read Only User | | Signal | Full User | | Workbench | Full User | ### RegulatoryOne & Veeva Claims Application Licenses The table below lists the license values available depending on the RegulatoryOne Suite application: | Application | Valid License Values | | --- | --- | | Compliance | Full User, *Lite User | | Registration & Dossier Management | Full User, *Lite User | | Regulatory Documents | Full User, External User, Read-only User | | Claims | Full User, External User, Read-only User |
### License Exception Summary {#license-exception-summary} The license exception summary assists Admins with identifying users with invalid application licenses and interpreting warning messages resulting from users attempting to access objects and tabs that are not part of their assigned license. The [downloaded][1] license exception summary lists users with one or more exceptions and is ordered by who has the most recent license exceptions. The summary logs the following exceptions for each user, including the date and time of the exception: * **Last License Type Exception**: Occurs when the value for a user's _License Type_ field is more permissive than the assigned application license values. For example, if a user has a _License Type_ of _Full User_ but is assigned _Read-Only_ for all applications, their _License Type_ should be _Read-Only_. * **{Application Name} - Last License Exception**: Occurs when a user selects an incorrect license value for an application. For example, "QualityOne: QMS - Last License Exception" will appear in the summary if a QMS user is assigned a _Read-Only_ license value. * **{Application Name} - Last Object or Tab Exception**: Occurs when a user accesses an object or tab not permitted by their application license. The summary includes details of the last three object exceptions and three tab exceptions. Vault refreshes license type exceptions within the summary every 12 hours at 01:10 GMT and 12:10 GMT. The summary captures object and tab exceptions every four hours. Vault does not update the summary unless a new exception is found. Regardless, Vault does not clear previously logged exceptions from the report. #### Downloading the License Exception Summary {#download-summary} To download your Vault's most recent summary, navigate to **Admin > About > Vault Information** and click **Download Exception Summary** under the _License Exceptions_ section. Next to the hyperlink, Vault displays the last date and time an exception was detected. The hyperlink is not available if Vault does not detect any exceptions. #### License Exception Warnings Vault informs users of object or tab exception warnings in the form of warning banners. A user will encounter a warning banner if they attempt to view, create, or delete an object record or view a tab not permitted by their application license. If a user edits the configuration of an object not permitted by their application license, this exception is only visible in the license exception summary. If a user encounters a warning banner, you should either update their application licensing to ensure they have access to the object or tab, or update the user's security profile and permission sets to remove objects and tabs they don't need access to. ## Security Profiles {#SecurityProfiles} Security profiles are how Vault applies permission sets to individual users. Each profile has one or more associated permission sets. ### Standard Security Profiles & Permission Sets Vault includes several standard security profiles and associated permission sets. Each of these corresponds to a Vault user type from the previous releases and grants the same access as the user type. These are not editable, but Admins may disable them if needed. | Security Profile | Permission Set | Description | | --- | --- | ------ | | _Document User_ | _Full User Actions_ | This profile grants full non-administrator application access (reports, workflows, etc.), but does not grant access to the **Admin** tab collection or to administrator actions (bulk update, merge anchors, create CrossLinks, etc.) in the **Vault** area. | | _Read-Only User_ | _Read-Only User Actions_ | Permissions for this profile align with the _Read-only Users_ license type access. | | _External User_ | _External User Actions_ | Permissions for this profile align with the _External User_ license type access. | | _Business Administrator_ | _Business Administrator Actions_ | This profile grants "read" access to most parts of the **Business Admin** tab collection, edit access to some areas (create/edit/delete overlays, assign users to groups, etc.), and full access to all object records. The profile provides access many of the administrator actions in the **Vault** area (bulk update, merge anchors, create CrossLinks, etc.), but prevents access to some actions (cancel checkout, make saved views mandatory, "Vault Owner Actions," etc). | | _System Administrator_ | _System Administrator Actions_ | This profile grants "read" access to all of the **Admin** tab collection, edit access to all areas except **Security Settings**, and full access to all object records. The profile provides access to all of the administrator actions in the **Vault** area except those under "Vault Owner Actions" (All Document Read, Power Delete, etc.). | | _Vault Owner_ | _Vault Owner Actions_ | This profile grants edit access to all of the **Admin** tab collection (including domain settings) and full access to all object records. (Users must also have the **Domain Admin** user profile setting to manage domain settings.) The profile provides access to all of the administrator actions in the **Vault** area including those under "Vault Owner Actions" (All Document Read, Power Delete, etc.). | | _Legal User_ | _Legal Actions_ | This profile grants read, create, edit, and delete permission to records in the Legal Hold object. Users with this profile can apply and remove legal holds on documents. Users with this profile must have document role permissions to perform _Legal Actions_. | | _Portal Experience User_ | _Portal Experience User Actions_ | This profile grants users the ability to access a Brand Portal without requiring additional access to Vault or in-depth Vault training. Users with this security profile only see Brand Portals and have no other access to or permissions in Vault. This is only available for PromoMats and MedComms Vaults. | | _External IIS User_ | _IIS External User Actions_ | This profile grants the ability to view, create, and edit _Investigator Initiated Study_ records and to view IIS related records and documents. This is only available for Clinical Operations Vaults. | | _Configuration Only_ | _Configuration Only Actions_ | This profile grants full access to configuration tasks in the **Admin** tab collection, such as _Email Settings_, _Picklists_, and _Searchable Object Fields_ (all other access is restricted, such as document, object, and domain audit logs), application access (such as reports, workflows, and API) except _Vault Owner Actions_, objects that support configuration tasks (such as _Answer Library Design_, _Application Role_, and _Language_), and access to the **Home**, **Library**, and **Loader** tabs. This profile also grants read access to the **Settings** and **About** tabs in the **Admin** tab collection, and all Web API groups. | [1]: #download-summary [2]: #license-types