# Defining Allowed & Default Users for Document Lifecycle Roles

For both standard and custom document lifecycle roles, you can define a subset of users who are allowed in the role and define users that Vault automatically assigns to the role at document creation or when a workflow starts. You can also override the allowed users and default users settings based on standard object-type document fields like _Product_ and _Study_.



<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: 
The options mentioned in this article only support documents created in the Vault UI, and not documents created via Vault API or Vault Java SDK. For roles using DAC, see <a href="/en/lr/33946/">About Dynamic Access Control for Objects</a>.</p>
    </div>
  </div>
</div>



## Accessing Allowed & Default Users

You can set up allowed and default users from **Admin > Configuration > Document Lifecycles > [Lifecycle] > Roles > [Role] > Default Rule** tab. To define overrides to the allowed and default users rules, open the **Override Rules** tab. Note that if your Vault has more than 1,000 rules configured on the **Override Rules** tab, you will need to use the export option to view the rules. The maximum number of allowed override rules is 50,000.

To configure roles, your security profile must grant you the _Document Lifecycles: Edit_ permission.

## How to Define Allowed & Default Users {#defineAllowed}

To define allowed users or groups for a role:

1. From the **Default Rule** tab, click **Edit**.
2. Add users or groups to the list by clicking **Add** and entering the user/group name or using the picklist. You may need to start typing the user's name in the selection field to find the correct option. Repeat as many times as needed to add more allowed users/groups.
3. Optional: If you want Vault to assign the user/group to the role automatically, set the **Default User** checkbox. The **Details** tab has a setting to control when Vault will assign default users.
4. Click **Save** at the bottom of the page to save changes.

## How to Override Allowed & Default Users {#override}



<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: 
We recommend configuring <a href="/en/lr/31824/">Dynamic Access Control</a> rather than role overrides.</p>
    </div>
  </div>
</div>



To override the allowed users and/or default users for a role:

1. From the **Override Rules** tab, click **Edit**.
2. Click **Add** to open the **Define Override Rule**.
3. Under **Define Condition**, select an object field and value. Currently, only standard object fields (_Product_, _Study_, etc.) are available. These rules always use the "equals" operator.
4. Under **Allowed Users**, add users or groups to the list by clicking **Add** and entering the user/group name or using the picklist. You may need to start typing the user's name in the selection field to find the correct option. Repeat as many times as needed to add more allowed users/groups. When users are manually assigned, this list restricts the users or groups that can be selected. 
5. Optional: If you want Vault to assign the user/group to the role automatically, set the **Default User** checkbox. The **Details** tab has a setting to control when Vault will assign default users.
6. Click **Add Rule** to close the dialog.
7. If you need to add additional rules with different conditions, click **Add** again and repeat the process.
8. Click **Save** at the bottom of the page to save changes.

Note that the _Site Country_ object field is not available for overrides in Clinical Operations Vaults.

## Overrides on Multi-Select Fields

When you apply overrides for a controlling field that allows users to select multiple values, Vault will permit all users or groups that are allowed for at least one of the controlling field's values. However, if any of the values selected for the controlling field on a document are related to an override rule, only users or groups from the valid override rules are allowed.

For example, if your document's _Country_ field has one country with an override rule and one country without, only the allowed users or groups from the override rule are valid. See the detailed example below.

### Example Rules for Approver Role

| Allowed Users | Overrides |
| --- | --- |
| Group-A, Group-B, Group-C | When Country is Country-A, only Group-A is allowed.<br>When Country is Country-B, only Group-B is allowed. |

### Example Scenarios for Approver Role

| Selected Countries | Allowed Users |
| --- | --- |
| Country-C (no override) | Group-A, Group-B, Group-C |
| Country-A, Country-C | Group-A |
| Country-A, Country-B | Group-A, Group-B |
| Country-A, Country-B, Country-C | Group-A, Group-B |

## Document Type Settings for Default Users {#aboutDocTypeSettings}

When defining document types, you can [assign default users for some standard roles](/en/lr/618/#settings-at-all-levels) (_Editor_, _Consumer_, and _Viewer_). Vault applies these defaults at document creation, but will prevent assignment if the users or groups are not listed as allowed for the role at the lifecycle level.

### Vault API Differences {#restApiDifferences}

Document lifecycle role defaults do not apply to documents created by the <a class="external-link " href="https://developer.veevavault.com/api/26.1#create-multiple-documents" target="_blank" rel="noopener">Create Multiple Documents<i class="fa fa-external-link" aria-hidden="true"></i></a> endpoint.

## Limitations

The following limitations apply to defining users for document lifecycle roles: 

* You can assign the Coordinator and Owner roles to individual users, not groups. 
* You can't configure the Owner role with default and overrride rules. 
* You can only configure the Coordinator role with default and override rules. 
* You can't assign groups to the Coordinator role.