The Connection object allows you to create integrations locally, between Vaults, or with an external application. If you want to send Spark messages, you must also attach this connection to a queue.

Accessing Connection Administration

View and manage connections from Admin > Connections. You must have a security profile that grants the Application: Manage Connections permission to access this tab.

How to Create Connection Objects

To create a new connection:

  1. From the Connections page, click Create.
  2. Select a Connection Type, either Vault to Vault, External, or Local.
  3. Enter a Name for this connection.
  4. Enter an API Name for this connection. Only lowercase, alphanumeric characters and underscores (_) between characters are allowed.
  5. Fields after this will vary based on Connection Type. See each corresponding section for connection types below.

Vault to Vault Connections

The only required fields are Name and API Name. All remaining fields for this connection type are optional.

  1. Enter a Remote Vault ID. This is the ID of the Vault you want to exchange messages with. If this field has a value, only this Vault ID can upload the connection file and there is no Approval Workflow. If this field is omitted, the Approval Workflow begins when this connection is uploaded.
  2. Enter a Description for this connection.
  3. Select an Authorized Connection User. If the remote Vault needs to access information in this Vault, they will do so through this user.
  4. Under Remote Vault Details, you can enter information about the remote Vault. Similar to the Description field, these fields are for your personal reference only. After establishing a connection, these fields are automatically populated with relevant information.
  5. Click Save. The connection record is now in a Pending state. To make this connection active, you need to establish the connection.

External Connections

Options for external connections include:

  1. Optional: Enter a URL for this external connection. This URL must be in a valid HTTPS format including https://. Only the standard HTTPS port is allowed, for example, https://veeva.com:8443 is not allowed. If your Vault is configured with Vault Tokens or Custom Tokens, you can use them in the URL.
  2. Optional but recommended: Select an Authorization record for this external connection. If this connection needs to access data in the external application, Vault will do so through this Connection Authorization record. The external system must be configured to accept this header.
  3. Optional: Enter a Description for this connection.
  4. Optional but recommended: Add an Authorized Connection User for this connection. If the external application needs to access information in this Vault, they will do so through this user. If this user is not set, the external application can not create session tokens (SessionID) for your Vault. If Client ID Filtering is on, this user must match the user in the inbound API request.
  5. Click Save. The connection record is created in an Active state and is available for use immediately.
  6. Optional but recommended: After creating your Client Credential connection record, we recommend configuring a Client ID and using Client ID Filtering.

Connection Authorization Types

Choose the Connection Authorization type that corresponds to the type of authentication credentials that integration developers will pass in the message header for authentication on the external system.

  • Basic Auth (basic_auth__sys): The User Name (username__sys) and Password (password__sys) of the external system
  • Client Credential (client_credentials__sys): The Client ID (client_id__sys) and Client Secret (client_secret__sys) of the external system

Local Connections

The only required fields are Name and API Name. The remaining fields for this connection type are optional.

  1. Enter a Description for this connection.
  2. Add an Authorized Connection User for this connection. If your Vault needs to access information requiring user credentials, it will do so through this user. If this user is not set, you cannot access information requiring user credentials such as API calls.
  3. Click Save.

How to Establish a Vault to Vault Connection

To establish a connection between two Vaults:

  1. Create or navigate to a Vault to Vault Connection record in the source Vault.
  2. From the Actions menu, select Download Connection File.
  3. After reading the Download Connection File dialog, click Download.
  4. In the target Vault, navigate to Admin > Connections.
  5. From the Actions menu, select Connect from File.
  6. Click Choose and select the connection file you wish to upload.
  7. Click Continue.
  8. If the connection file included a Remote Vault ID, the connection is now established. Both connection records are now in an Active state.
  9. Optional: If the connection file does not include a Remote Vault ID, an Approval Workflow will begin in both Vaults. Navigate to the connection record and click Complete.
  10. Optional: In the dialog that appears, choose to Approve the connection. The connection record is now in the Approved State. Once both Vaults approve the connection, both records move to the Active state and the connection is established.

Managing Existing Connections

Depending on the Connection Type, there are various management options and related sections available for existing Connection records.

Details

The Details and Remote Vault Details sections contain information about this Connection. Most of these fields are editable. However, changing the API Name may break existing integrations with this connection.

Workflow Timeline

Connection object records must go through an approval workflow before the connection can enter the Approved lifecycle state. Once approved, this section holds read-only information about the approval, such as the time and user who completed the approval task.

For External and Local connections, this section is blank as approval is not required.

Integrations

Connection records can have multiple Integrations associated with them. You can turn an integration on or off by setting the Status to Active or Inactive, respectively.

From this section, you can also create custom integrations. Learn more about integrations for Vault to Vault Connections.

Reference Lookups

Reference Lookups allow you to set the value of a field in the remote Vault indirectly from a VQL query to the source Vault, using a lookup. For example, you can indicate that the country__v value “U.S.” in the source Vault is equivalent to “United States” in the remote Vault.

Learn more about creating Reference Lookups for Vault to Vault Connections.

Connection Client

The Connection Client section allows you to create and update approved Client IDs for this connection. By default, each connection has a client ID in the format veeva-vault-{connection api_name__sys}, but you can update this value, inactivate it, or add new values.

We recommend using client IDs with inbound External Connections in conjunction with Client ID Filtering.

Connection Stats

The Connection Stats section displays daily performance metrics for this connection, including the number of Spark messages sent or received and the number of failures, retries, timeouts, and fatal errors.

Managing Signing Certificates

Vault uses signing certificates to sign all outbound Spark messages. All Vaults use the same signing certificate which is renewed every three years. Once the new certificate is released, Vault automatically updates all connections to use the new certificate and notifies customers ahead of time about the upcoming certificate rollover. The previous certificate is still available for a period of time known as the rollover period. During this time, you can switch between new and previous certificates if needed. Once the rollover period passes, the new certificate becomes the only active certificate on the connection.

Vault immediately uses the selected signing certificate on the connection to sign all outbound Spark messages sent through the connection.

To manage Spark messaging signing certificates:

  1. Create or navigate to a Connection record.
  2. From the Actions menu, select Manage Signing Certificate.
  3. From the Manage Signing Certificate dialog, select the checkbox next to the applicable certificate. If the current certificate is the only one available, the certificate is read-only and you can either download the certificate or cancel the action. If two certificates are available, you are in the rollover period. Use the new certificate if possible. See Vault SSL Certificates for more information.
  4. Optional: To download, click the download icon next to the applicable certificate.
  5. Click Save to make the selected certificate active to use for Spark messaging.

How to Delete a Connection

To delete a connection, select Delete from the Actions menu. Note that you cannot delete a connection referenced by a queue. You also cannot delete standard, system-managed connections, but you can reconnect them to a different Vault.

If you delete an established Vault to Vault connection, the Connection record in the remote Vault moves to the Disconnected state, and Vault deletes all associated Connection Stats.

Standard Vault Connections

Standard, system-managed connections are available between Vault applications to support specific business processes. These connections use the Application Owner as the default Authorized Connection User. You can also reconnect existing standard connections to a different Vault.

Quality-LIMS

This Vault Connection automatically transfers Batch, Related Batch, Material, Related Material, Product, Product Family, Product Variant, Product Marketed, Organization, Asset Family, and Asset data from Quality Vaults to LIMS Vaults and syncs documents between them. See details about the Quality-LIMS Vault Connection.

Safety-Clinical Operations

This Vault Connection automatically transfers Study, Study Country, and Study Registration data from Clinical Operations Vaults to Safety Vaults and transfers Safety Letters from Safety Vaults to Clinical Operations Vaults. See details about the Safety-Clinical Operations Vault Connection.

Safety-EDC

This Vault Connection between a CDMS Vault and a Safety Vault automates the transfer of serious adverse event (SAE) data from a CDMS Vault to a Safety Vault for Case processing and reporting. See details about the Safety-EDC Vault Connection.

Medical-Safety

This Vault Connection between MedInquiry and a Safety Vault transfers Adverse Event data such as patient, reporter, product, and event information from MedInquiry to Vault Safety for Case processing and reporting. See details about the Medical-Safety Vault Connection.

Safety-RIM

This Vault Connection automatically transfers Product Family, Product, Product Variant, Product Trade Name, Substance, Product Registration, and other records from RIM to Vault Safety. See details about the Safety-RIM Vault Connection.

Quality to RIM: Change Control & Variation Management

This Vault Connection between a Quality QMS Vault and a RIM Registrations Vault automates data sharing between the two applications, supporting change control initiation, regulatory assessment, and close out. See details about the Quality to RIM Vault Connection.

RIM to Clinical Operations

This Vault Connection between a Clinical Operations eTMF Vault and a RIM Submissions Vault automates data sharing between the two applications, supporting automatic transfer of Product, Study, and Site data and documents. See details about the RIM to Clinical Operations Vault Connection.

Clinical Operations to CDMS

This Spark messaging connection allows for the exchange of Studies, Study Countries, and Sites from Clinical Operations CTMS Vaults to CDMS EDC Vaults, and the exchange of Subjects, Subject Visits, and Visit Definitions from CTMS Vaults to EDC Vaults.

Study Training to Clinical Operations

This Vault Connection automatically transfers data and documents from the Clinical Operations Vault to a Study Training Vault. This connection transfers Study, Study Country, Study Site, Study Person, Person, Organization, and domain User information across Vaults and automates CrossLink document creation and up-versioning.

Quality to Clinical Operations: Study Transfer

Organizations using both a Clinical Operations Vault and a Quality Vault can utilize a connection between the two Vaults to automatically transfer Study data from Clinical Operations to Quality. This connection transfers Study, Study Country, and Study Site information across Vaults.

RIM to PromoMats

Organizations using both a RIM Submissions Vault and a PromoMats Vault can utilize the Spark messaging framework to create a standard Vault to Vault connection. This connection transfers Application, Submission, and Compliance Package information across Vaults and automates the creation and updating of CrossLink documents. See details about the RIM to PromoMats Vault Connection.

PromoMats - Medical

Organizations using both a PromoMats Vault and a Medical Vault can utilize the Spark messaging framework to create a standard Vault to Vault connection. This connection transfers documents across Vaults, such as medical literature references or labeling documents, and automates the creation and updating of CrossLink documents and anchors. See details about the PromoMats - Medical Vault Connection.

Standard Vault to Vault Connection Limitations

When you configure any of the standard Vault to Vault connections, errors may occur in the following situations:

  • If a user deletes a record that either side of the connection was using, Vault ceases to update connected records with no notification.
  • If a user manually updates one of the ID fields on a record used by either side of the connection, Vault may fail to process Spark messages and update connected records.
  • If configuration change on either side of the connection may impact the integration, such as changes to fields or picklists, Vault may fail to process Spark messages and update connected records.

Connections & Sandbox Vaults

When you create or refresh a sandbox Vault, all Active external connections except those with tokens in the URL are set to Inactive, and all Active Vault to Vault connections are set to Pending. Local connections remain as Active.

External connections with tokens in the URL retain the URL value and Active or Inactive state of the parent Vault in newly created or refreshed sandboxes.

To make external connections active again, you must re-enter the connection URL. To make Vault to Vault connections active again, you must re-establish the connection as described below.

Re-Establishing a Vault to Vault Connection

During sandbox creation or refresh, all Active Vault to Vault connections are set to Pending. The corresponding connection in the remote Vault remains in an Active state.

To re-establish a Vault to Vault connection, you must re-download the connection file in the source Vault, re-upload the connection file in the target Vault, and approve the connection.

To re-establish this connection:

  1. Navigate to Admin > Connections in the source Vault. The source Vault is the Vault which initiates the connection request.
  2. Find the Vault to Vault connection you wish to re-establish.
  3. If the connection record is in an Active state, open the Actions menu and select Reset Connection.
  4. After reading the Reset Connection dialog, select Continue.
  5. Optional: If you know the ID of the target Vault, enter it in the Remote Vault ID field. The target Vault is the Vault your source Vault will connect to. If you leave this field blank, establishing the connection will require an approval workflow.
  6. From the Actions menu, select Download Connection File.
  7. After reading the Download Connection File dialog, click Download.
  8. In the target Vault, navigate to Admin > Connections. The target Vault is the Vault which accepts the connection request.
  9. Find the Vault to Vault connection you wish to re-establish.
  10. From the Actions menu, select Connect from File.
  11. Click Choose and select the connection file downloaded from the source Vault.
  12. Click Continue.
  13. If the connection file included a Remote Vault ID, the connection is now re-established. Both connection records are now in an Active state.
  14. If the connection file does not include a Remote Vault ID, an Approval Workflow will begin in both Vaults. In both the source and target Vault, navigate to the connection record details page and click Complete.

In the dialog that appears, choose to Approve the connection. The connection record is now in the Approved State. Once both Vaults approve the connection, both records move to the Active state and the connection is re-established.

Uploading a Vault to Vault connection file without a Remote Vault ID starts an Approval Workflow, so this user must have the Workflow: Start permission.