# About Dynamic Access Control for Objects

Dynamic Access Control (DAC) is an access control model for object records, which automates the assignment of users to the records' _Viewer_, _Editor_, and _Owner_ roles through "Matching Sharing Rules" and/or "Custom Sharing Rules." DAC provides object record-level security.

Matching Sharing Rules are simple to set up and require less maintenance; you can use these rules to make the majority of your organization's role assignments. Custom Sharing Rules require more maintenance but are useful for providing overrides in specific scenarios.

Your organization can enable both Matching and Custom Sharing Rules individually for specific objects. Using these features, you can provide object record-level access control for some objects, while other objects continue to use object-level access control through permission sets.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: When implementing any custom security or access control, Admins should perform UAT (User Acceptance Testing) before making changes on a production site. Some changes can affect application-specific functionality in ways that make Vault difficult to use.</p>
    </div>
  </div>
</div>



## Matching Sharing Rules {#matching-sharing-rules}

Matching Sharing Rules work like DAC for documents: Vault assigns users to roles on individual object records through membership in Auto Managed groups. In this setup, your organization controls role assignment by setting up rules and managing records in _User Role Setup_ objects. _User Role Setup_ records correspond to groups. A _User Role Setup_ record includes a user, a role, and several "matching" fields, which qualify the user's context for the role. Matching fields are fields that exist on both the _User Role Setup_ object and on the object you're securing, for example, _Country_ or _Product_.

Learn about [configuring Matching Sharing Rules](/en/lr/36122/).

## Custom Sharing Rules {#custom-sharing-rules}

When using Custom Sharing Rules for an object, Vault manages users' roles on specific object records by matching rule criteria to specific user assignments. For example, on _Marketing Campaign_ records where the _Agency_ is _DKI Direct_, _Gladys_ is an _Editor_ and _Thomas_ is an _Owner_.

Learn about [configuring Custom Sharing Rules](/en/lr/25494/).

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: In past versions, this functionality was called Dynamic Security. In V15, we renamed the feature. Custom Sharing Rules work in conjunction with Matching Sharing Rules to provide ways of controlling access that are manageable, robust, and agile.</p>
    </div>
  </div>
</div>



## Secure Sharing Settings {#secure_sharing_settings}

Secure sharing settings allow you to combine profile security and Atomic Security for actions to control users' access to [sharing settings](/en/lr/61279/) for each record, role, and lifecycle state. When enabled, you can control whether the **Sharing Settings** action is hidden, viewable (visible but not editable), or executable (users can add or remove direct role assignments). Vault also honors sharing settings security in the Vault API. Note that this option is disabled by default. When disabled, any user who can access an object record can view sharing settings, and users that can update an object record can add or remove role assignments from sharing settings.

### How to Enable Sharing Settings Security

  1. Navigate to **Admin** > **Configuration** > **Objects** > **[Object]** > **Details** > **Options**.
  2. Click **Edit**.
  3. Select the **Use Action security to control Sharing Settings** checkbox. You must select either **Enable** **Matching** **Sharing Rules** or **Enable Custom Sharing Rules** to display the checkbox. Once enabled, Vault allows you to configure security on the _Sharing Settings_ action.

### About the Secure Sharing Settings Action

When you enable the **Use Action security to control Sharing Settings** checkbox, Vault automatically creates the _Sharing Settings_ action on the applicable object. Like configuring security for any other object action, you can secure sharing settings at two (2) levels:

  * [**Profile Security**](/en/lr/43127/#ALS_profile_security): Allows you to control access to the _Sharing Settings_ action, with the _View_ and _Execute_ permissions, at the object level by the user's security profile. Vault automatically grants the _Execute_ permission on the object action if the permission set has the _Edit_ privilege on the object. If the object has the _Read_ permission, Vault automatically grants the _View_ permission on the action. You can further configure custom permission sets after enabling security on sharing settings.
  * [**Atomic Security**](/en/lr/47850/#Atomic_Security_Actions):  Allows you to secure the _Sharing Settings_ action by individual lifecycle states, with the _Hide_, _View_, and _Execute_ permissions, and the ability to override settings for specific application roles.

### Known Issue

The following known issue affects configuring sharing settings security on objects with object types enabled:

When Vault creates the _Sharing Settings_ object action, Vault assigns the action only to the base object type. Navigate to **Admin** > **Configuration** > **Objects** > **Object Types** > **Actions** to assign the action to all object types.

## Replicate Sharing Settings

The [_Replicate sharing settings from parent object_](/en/lr/858058/) setting available on parent object reference fields allows you to pull any sharing settings available on a parent object to the child object. This includes sharing settings assigned through matching sharing rules, custom sharing rules, manual assignments, and Security Tree assignments. Enabling this setting deletes any existing sharing settings on the child object.

When enabled, the child object's _Details_ tab displays the text _Sharing settings replicated from Object_ in the _Dynamic Access Control_ field with a link to the _Sharing Rules_ tab on the parent object. This link is also available on the _Sharing Rules_ tab of the child object.

## Object Record Roles

When an object uses Dynamic Access Control, Vault introduces roles on the object records. These roles control the type of access a user has on the record. If your Vault uses Matching Sharing Rules, these roles map to _Application Role_ records with the same label.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Dynamic Access Control does not override security profiles and permission sets. Users must also have a security profile that grants the necessary object permissions, for example, <strong>Objects</strong> &gt; <strong>Marketing Campaign</strong> &gt; <strong>Read</strong> would control whether a user could view <em>Marketing Campaign</em> records.</p>
    </div>
  </div>
</div>



### Owner

The user who creates a record (after Dynamic Access Control is enabled) automatically gets this role. With this role, you can:

  * Assign additional users/groups to the _Owner_, _Editor_, or _Viewer_ roles through manual assignment
  * Remove users/groups from the _Owner_, _Editor_, or _Viewer_ roles by editing manual assignments
  * View and edit the object record details
  * Select the object record in a document field or when creating a relationship between two object records
  * Delete the object record

The only additional privilege _Owners_ have over _Editors_ is the ability to add/remove users from the _Owner_ role.

### Editor

Users must get the _Editor_ role through a sharing rule or through manual assignment. With this role, you can:

  * Assign additional users/groups to the _Editor_ or _Viewer_ roles through manual assignment
  * Remove users/groups from the _Editor_ or _Viewer_ roles through manual assignment
  * View and edit the object record details
  * Select the object record in a document field or when creating a relationship between two object records
  * Delete the object record

### Viewer

Users must get the _Viewer_ role through a sharing rule or through manual assignment. With this role, you can:

  * View the object record details
  * Select the object record in a document field or when creating a relationship between two object records

### Custom Role

When using Matching Sharing Rules or Custom Sharing Rules, Admins can [add more application roles](/en/lr/36440/) to the object.

The available actions for custom roles are based on the permission setup for the object:

  * **Read**: View the object record details and select the object record in a document field or when creating a relationship between two object records
  * **Edit**: Edit the object record details
  * **Delete**: Delete the object record

Users with a custom role can use manual assignments. Users with the _Editor_ or _Owner_ role can assign users to custom roles via manual assignment if the custom role is configured on the object lifecycle.

### No Role

Without a role, you cannot see the object record details, including details visible on the hovercard. You also cannot select the object record from a document field or when creating a relationship between two object records. If a document field would default to an object record that you can't access, Vault does not apply the default value. For example, Thomas does not have a role on the product _Nyaxa_. When he attempts to copy a _Nyaxa_ document and include the field values from the original document, the _Product_ field does not default to _Nyaxa_.

Dynamic Access Control does not prevent you from seeing documents or object records that link to the record you cannot view. For example, Gladys does not have a role on the product _CholeCap_ but does have _View Document_ access on several documents for that product. When she looks at those documents, she sees that the _Product_ field has _CholeCap_ selected.

These settings also do not change the behavior of filters and searches in document tabs. For example, Gladys could add the **Product** > **Generic Name** filter to **Library** and then filter on the value _chopredol_, even though that value is on the _CholeCap_ record.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Through hierarchical copy, users cannot copy child or grandchild records that they cannot view or create. When users copy the parent record, none of the child or grandchild records are copied unless they can view and create all of the child and grandchild records.</p>
    </div>
  </div>
</div>



### Roles & Access After Enablement

Immediately after enabling Matching or Custom Sharing Rules on an object, there will be no role assignments on the object records. At this point, only users with the **Vault Owner Actions** > **All Object Records** > **All Object Record Edit** permission can access records in order to manually assign access. By default, only the _Vault Owner_ security profile includes this permission. Make sure that the user enabling and configuring access control has the appropriate permissions.

## Role Assignments on Object Records {#role-assignment}

There are three ways users can get access to an object record:

  * **Matching Sharing Rules** assign an Auto Managed group (maintained via _User Role Setup_ records) to a role on any record where the record's matching field values align with the _User Role Setup_ record values.
  * **Custom Sharing Rules** define a query and assign specific users to roles on any record that meets the query criteria.
  * **Manual Assignment** allows a user with appropriate permissions to navigate directly to the record and add specific users/groups to roles on that record only.

## Manual Assignment {#manual-assignment}

When you enable DAC (through "Matching Sharing Rules" or "Custom Sharing Rules") for an object, users with the _Editor_ or _Owner_ role on an object record can manually share that record by adding another user to a role. Users with the _Edit_ permission on an object record can add or remove manual assignments for any standard or custom role configured in the object lifecycle. Note that users must be assigned to the _Owner_ role to add or remove an owner.

Users can never use manual assignment options to remove groups assigned through sharing rules.

You can manually assign users to object records in [sharing settings](/en/lr/61279/).

## DAC Configuration for the User Object

Configuring DAC on the user object allows you to control access to user records and restrict user visibility by masking identifying details. With this setup, organizations working with partner organizations in a single Vault can control how Vault displays user information to users affiliated with different organizations.

Learn more about [Dynamic Access Control for the User Object](/en/lr/50511/).

### Viewing Record Sharing Settings

If you have access to view an object record, you can navigate from that record's details to its [**Sharing Settings**](/en/lr/61279/) page. On this page, you can see any role assignments that apply to the record.