# About Permission Sets In Vault, permission sets are a way to group permissions together. Security profiles or user roles then use the permission sets to grant or restrict users' access to certain features, particularly system administration functions such as user management or object record creation. For example, the permission sets applied to the _IT Administrator_ security profile allow users with that profile to manage users and groups, but not studies and sites. ## Accessing Permission Set Configuration To configure permission sets, you must have the _Admin: Permission Sets: Read_, _Create_, _Edit_, and _Delete_ permissions. With the right access, you can manage permission sets from **Admin > Users & Groups > Permission Sets**.

Note: You can only grant permissions that you also have. For example, if you do not have any of the Vault Owner Actions section permissions, you cannot turn those permissions on when editing a permission set.

## About 'All' Permissions {#all-permissions} Throughout the permission sets configuration, there are permissions like **All Configuration** and **All Audit**. Granting these permissions gives users all permissions under them. However, this functions differently from simply selecting each sub-permission. If a future release of Vault adds new permissions to an area, permission sets with the 'All' permission will automatically select those new permissions. ## About Permission Dependencies Granting certain permissions automatically grants additional permissions. When editing, these dependent permissions will be greyed out as long as their controlling permission is selected. For example, when you grant the _Web Actions: Delete_ permission, you automatically grant the _Web Actions: Edit_ permission. ## About User Role Permissions As an added layer of access alongside security profiles, you can optionally grant permissions with _User Roles_ added to _User_ records. This can simplify complex security profile configurations. See Managing Permissions with User Roles for more information. ## Admin Permissions {#admin-permissions} Access to administrator-type functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings on the **Admin** tab of the **Permission Sets** page. In addition to license type, security profile, user role, and permission set, some access is controlled by the **Domain Admin** user setting. ### Configuration |Permission|Access Details| |--- |--- | |Configuration: All Configuration|Grants all 'Configuration' permissions; individual permissions are explained below.| |Configuration: All Configuration Read|Grants all 'Read' permissions in 'Configuration'; individual permissions are explained below.| |Email Settings: Read|Grants read-only permission to the **Configuration > Email Settings** page| |Email Settings: Edit|Grants edit permission to the **Configuration > Email Settings** page| |Login Message: Read|Grants read-only permission to the **Configuration > Login Message** page| |Login Message: Edit|Grants edit permission to the **Configuration > Login Message** page| |Picklists: Read|Grants read-only permission to the **Business Admin > Picklist** page| |Picklists: Edit|Grants edit permission to the **Business Admin > Picklist** page| |User Account Emails: Read|Grants read-only permission to the **Configuration > User Account Emails** page| |User Account Emails: Edit|Grants edit permission to the **Configuration > User Account Emails** page| |Lifecycle Colors: Read|Grants read-only permission to the **Configuration > Lifecycle Colors** page| |Lifecycle Colors: Edit|Grants edit permission to the **Configuration > Lifecycle Colors** page| |Pages: Read|Grants read-only permission to **Configuration > Pages**| |Pages: Edit|Grants edit permission to **Configuration > Pages**| |Searchable Object Fields: Read|Grants read-only permission to the **Configuration > Searchable Objects** page| |Searchable Object Fields: Edit|Grants edit permission to the **Configuration > Searchable Objects** page| |Document Tags: Read|Grants read-only permission to the **Configuration > Document Tags** page.| |Document Tags: Edit|Grants edit permission to the **Configuration > Document Tags** page.| |Tabs: Read|Grants read-only permission to the **Configuration > Tabs** page| |Tabs: Create|Grants the ability to create new tabs in the **Configuration > Tabs** page| |Tabs: Edit|Grants the ability to edit existing tabs in the **Configuration > Tabs** page| |Tabs: Delete|Grants ability to delete existing tabs in the **Configuration > Tabs** page| |Tab Collections: Read|Grants read-only permission to the **Configuration > Tab Collections** page| |Tab Collections: Create|Grants the ability to create new tabs collections in the **Configuration > Tab Collections** page| |Tab Collections: Edit|Grants the ability to edit existing tab collections in the **Configuration > Tab Collections** page| |Tab Collections: Delete|Grants ability to delete existing tab collections in the **Configuration > Tab Collections** page| |Document Web Actions: Read|Grants read-only permission to the **Configuration > Web Actions** page| |Document Web Actions: Create|Grants ability to create new web actions in the **Configuration > Web Actions** page| |Document Web Actions: Edit|Grants ability to edit existing web actions in the **Configuration > Web Actions** page| |Document Web Actions: Delete|Grants ability to delete web actions in the **Configuration > Web Actions** page| |Object Web Actions: Read|Grants read-only permission to the **Configuration > Object Web Actions** page| |Object Web Actions: Create|Grants ability to create new actions in the **Configuration > Object Web Actions** page| |Object Web Actions: Edit|Grants ability to edit existing actions in the **Configuration > Object Web Actions** page| |Object Web Actions: Delete|Grants ability to delete actions in the **Configuration > Object Web Actions** page| |Document Types: Read|Grants read-only permission to the **Configuration > Document Types** page| |Document Types: Create|Grants ability to create new document types, subtypes, and classifications in the **Configuration > Document Types** page| |Document Types: Edit|Grants ability to edit existing document types, subtypes, and classifications in the **Configuration > Document Types** page| |Document Types: Delete|Grants ability to delete document types, subtypes, and classifications in the **Configuration > Document Types** page| |Document Relationships: Read|Grants read-only permission to the **Configuration > Document Relationships**{: #document-relationships-permission} page| |Document Relationships: Create|Grants the ability to create new document relationship types in the the **Configuration > Document Relationships** page| |Document Relationships: Edit| Grants the ability to edit existing document relationship types in the the **Configuration > Document Relationships** page| |Document Relationships: Delete|Grants the ability to delete document relationship types in the the **Configuration > Document Relationships** page| |Document Fields: Read|Grants read-only permission to the **Configuration > Document Fields** page| |Document Fields: Create|Grants ability to create new document fields in the **Configuration > Document Fields** page| |Document Fields: Edit|Grants ability to edit existing document fields in the **Configuration > Document Fields** page| |Document Fields: Delete|Grants ability to delete document fields in the **Configuration > Document Fields** page| |Field Dependencies: Read|Grants read-only permission to the **Configuration > Field Dependencies** page| |Field Dependencies: Create|Grants ability to create field dependencies in the **Configuration > Document Fields** page| |Field Dependencies: Edit|Grants ability to edit existing field dependencies in the **Configuration > Document Fields** page| |Field Dependencies: Delete|Grants ability to delete field dependencies in the **Configuration > Document Fields** page| |Field Layout: Read|Grants read-only permission to the **Configuration > Field Layouts** page| |Field Layout: Create|Grants ability to create new field layouts in the **Configuration > Document Fields** page| |Field Layout: Edit|Grants ability to edit existing field layouts in the **Configuration > Document Fields** page| |Field Layout: Delete|Grants ability to delete field layouts in the **Configuration > Document Fields** page| |Document Lifecycles: Read|Grants read-only permission to **Configuration > Document Lifecycles**, including all sub-pages (lifecycles, states, etc.)| |Document Lifecycles: Create|Grants ability to create new items within **Configuration > Document Lifecycles** including lifecycles, lifecycle states, and workflows| |Document Lifecycles: Edit|Grants ability to edit existing items within **Configuration > Document Lifecycles**, including lifecycles, lifecycle states, and workflows| |Document Lifecycles: Delete|Grants ability to delete existing items within **Configuration > Document Lifecycles**, including lifecycles, lifecycle states, and workflows| |Object Lifecycles: Read|Grants read-only permission to **Configuration > Object Lifecycles**, including all sub-pages (lifecycles, states, etc.)| |Object Lifecycles: Create|Grants ability to create new items within **Configuration > Object Lifecycles**, including lifecycles, lifecycle states, etc.| |Object Lifecycles: Edit|Grants ability to edit existing items within **Configuration > Object Lifecycles**, including lifecycles, lifecycle states, etc.| |Object Lifecycles: Delete|Grants ability to delete existing items within **Configuration > Object Lifecycles**, including lifecycles, lifecycle states, etc.| |Object Workflows: Read|Grants read-only permission to **Configuration > Object Workflows**| |Object Workflows: Create|Grants ability to create new workflows within **Configuration > Object Workflows**| |Object Workflows: Edit|Grants ability to edit existing workflows within **Configuration > Object Workflows**| |Object Workflows: Delete|Grants ability to delete existing workflows within **Configuration > Object Workflows**| |Document Messages: Read|Grants read-only permission to **Configuration > Document Messages**| |Document Messages: Create|Grants ability to create new messages within **Configuration > Document Messages**| |Document Messages: Edit|Grants ability to edit existing messages within **Configuration > Document Messages**| |Document Messages: Delete|Grants ability to delete existing messages within **Configuration > Document Messages**| |Object Messages: Read|Grants read-only permission to **Configuration > Object > Messages**| |Object Messages: Create|Grants ability to create new messages within **Configuration > Object Messages**| |Object Messages: Edit|Grants ability to edit existing messages within **Configuration > Object Messages**| |Object Messages: Delete|Grants ability to delete existing messages within **Configuration > Object > Messages**| |Objects: Read|Grants read-only permission to **Configuration > Objects**| |Objects: Create|Grants ability to create new objects within **Configuration > Objects**| |Objects: Edit|Grants ability to edit existing objects within **Configuration > Objects**| |Objects: Delete|Grants ability to delete existing objects within **Configuration > Objects**| |Overlays: Read|Grants read-only permission to **Business Admin > Templates > Overlays**| |Overlays: Create|Grants ability to create new overlay templates within **Business Admin > Templates > Overlays**| |Overlays: Edit|Grants ability to edit existing overlay templates within **Business Admin > Templates > Overlays**| |Overlays: Delete|Grants ability to delete existing overlay templates within **Business Admin > Templates > Overlays**| |Rendition Types: Read|Grants read-only permission to **Configuration > Rendition Types**| |Rendition Types: Create|Grants ability to create new rendition types within **Configuration > Rendition Types**| |Rendition Types: Edit|Grants ability to edit existing rendition types within **Configuration > Rendition Types**| |Rendition Types: Delete|Grants ability to delete existing rendition types within **Configuration > Rendition Types**| |Report Types: Read|Grants read-only permission to **Configuration > Report Types** and report views within **Configuration > Report Views**| |Report Types: Create|Grants ability to create new report types within **Configuration > Report Types** and report views within **Configuration > Report Views**| |Report Types: Edit|Grants ability to edit existing report types within **Configuration > Report Types** and report views within **Configuration > Report Views**| |Report Types: Delete|Grants ability to delete existing report types within **Configuration > Report Types** and report views within **Configuration > Report Views**| |Signature & Cover Pages: Read|Grants read-only permission to **Business Admin > Templates > Signature & Cover Pages**| |Signature & Cover Pages: Create|Grants ability to create new signature page templates within **Business Admin > Templates > Signature & Cover Pages**| |Signature & Cover Pages: Edit|Grants ability to edit existing signature page templates within **Business Admin > Templates > Signature & Cover Pages**| |Signature & Cover Pages: Delete|Grants ability to delete existing signature page templates within **Business Admin > Templates > Signature & Cover Pages**| |Formatted Output Records: Read|Grants read-only permission to **Business Admin > Templates > Formatted Outputs**| |Formatted Output Records: Create|Grants ability to create new formatted outputs within **Business Admin > Templates > Formatted Outputs**| |Formatted Output Records: Edit|Grants ability to edit existing formatted outputs within **Business Admin > Templates > Formatted Outputs**| |Formatted Output Records: Delete|Grants ability to delete existing formatted outputs within **Business Admin > Templates > Formatted Outputs**| |Page Links: Read|Grants read-only permission to **Configuration > Page Links**.| |Page Links: Create|Grants ability to create new page links within **Configuration > Page Links**.| |Page Links: Edit|Grants ability to edit existing page links within **Configuration > Page Links**.| |Page Links: Delete|Grants ability to delete existing page links within **Configuration > Page Links**.| |Custom Messages: Read|Grants read-only permission to **Configuration > Notification Templates**.| |Custom Messages: Create|Grants ability to create new custom notification templates within **Configuration > Notification Templates**.| |Custom Messages: Edit|Grants ability to edit existing custom notification templates within **Configuration > Notification Templates**.| |Custom Messages: Delete|Grants ability to delete existing custom notification templates within **Configuration > Notification Templates**.| |Templates: Read|Grants read-only permission to **Business Admin > Templates > Documents & Binders**| |Templates: Create|Grants ability to create new document or binder templates within **Business Admin > Templates > Documents & Binders**| |Templates: Edit|Grants ability to edit existing document or binder templates within **Business Admin > Templates > Documents & Binders**| |Templates: Delete|Grants ability to delete existing document or binder templates within **Business Admin > Templates > Documents & Binders**| |Action Triggers: Read|Grants ability to view _Triggers_ tab on an object.| |Action Triggers: Create|Grants ability to create Action Triggers.| |Action Triggers: Edit|Grants ability to edit Action Triggers, including reordering, activating configurations, reverting active configurations, and turning Action Triggers on and off.| |Action Triggers: Delete|Grants ability to delete Action Triggers.| |Business Admin Objects: Read|Grants the ability to to view and access the **Objects** tab within **Business Admin**.| |Logs: All Audit|Grants ability to view all audit histories in **Admin > Logs**| |Logs: System Audit|Grants ability to view **System Audit History** in **Admin > Logs**| |Logs: Login Audit|Grants ability to view **Login Audit History** in **Admin > Logs**| |Logs: Document Audit|Grants ability to view **Document Audit History** in **Admin > Logs**| |Logs: Object Record Audit|Grants ability to view **Object Record Audit History** in **Admin > Logs**| |Logs: Domain Audit|Grants ability to view **Domain Audit History** in **Admin > Logs**| |Logs: Developer Logs|Grants ability to view the **Developer Logs** in **Admin > Logs**, such as the _Debug Log_ and _Runtime Log_.| |Logs: API Usage|Grants ability to view **API Usage Logs** in **Admin > Logs**| |Logs: Collab Auth Error Logs|Grants ability to view **Collaborative Authoring Error Log** in **Admin > Logs**| |Spark Queues: Read|Grants read-only permission to Spark queues in **Connections > Spark Queues**| |Spark Queues: Create|Grants ability to create Spark queues in **Connections > Spark Queues**| |Spark Queues: Edit|Grants ability to edit existing Spark queues in **Connections > Spark Queues**| |Spark Queues: Delete|Grants ability to delete Spark queues in **Connections > Spark Queues**| |Spark Queues: Queue Log|Grants ability to view the Spark **Queue Log** in **Admin > Logs**| |Vault Java SDK: Read|Grants read permission on components using the Vault Java SDK| |Vault Java SDK: Create|Grants create permission on components using the Vault Java SDK| |Vault Java SDK: Edit|Grants edit permission on components using the Vault Java SDK| |Vault Java SDK: Delete|Grants delete permission on components using the Vault Java SDK| |Vault Tokens: Read|Grants the ability to view _Vaulttoken_ records using MDL.| |Vault Tokens: Create|Grants the ability to create _Vaulttoken_ records using MDL.| |Vault Tokens: Edit|Grants the ability to alter _Vaulttoken_ records using MDL.| |Vault Tokens: Delete|Grants the ability to drop _Vaulttoken_ records using MDL.| |Inbound Email Addresses: Read|Grants read-only permission to **Configuration > Inbound Email Addresses**| |Inbound Email Addresses: Create|Grants ability to create new addresses in **Configuration > Inbound Email Addresses**| |Inbound Email Addresses: Edit|Grants ability to edit existing addresses in **Configuration > Inbound Email Addresses**| |Inbound Email Addresses: Delete|Grants ability to delete existing addresses in **Configuration > Inbound Email Addresses**| |Inbound Email Addresses: Email Log|Grants ability to view the **Email Log** in **Admin > Logs**| |Inbound Email Addresses: Reprocess Emails|Grants ability to use the **Reprocess Emails** user action| |Inbound Email Addresses: Delete Emails|Grants ability to use the **Delete Emails** user action| ### Domain Administration

Note: Give careful consideration when granting the permissions below, as these allow control over all Vaults in a multi-Vault domain. Users must have the Domain Admin setting in addition to these permissions.

|Permission|Access Details| |--- |--- | |Domain Administration: All Domain Admin|Grants all permissions related to Domain Administration| |Domain Administration: All Domain Admin Read|Grants read-only permissions to all Domain Administration areas| |Domain Administration: Reset All Passwords|Grants permission to reset all user passwords.| |Domain Settings: Read|Grants read-only permission to **Settings > Domain Settings**| |Domain Settings: Edit|Grants edit permission to **Settings > Domain Settings**| |SSO Settings: Read|Grants read-only permission to **Settings > SAML Profiles**| |SSO Settings: Edit|Grants edit permission to **Settings > SAML Profiles**| |Security Policies: Read|Grants read-only permission to **Settings > Security Policies**| |Security Policies: Create|Grants permission to create new security policies in **Settings > Security Policies**| |Security Policies: Edit|Grants permission to edit existing security policies in **Settings > Security Policies**| |Network Access Rules: Read|Grants read-only permission to **Settings > Network Access Rules**| |Network Access Rules: Create|Grants permission to create new network access rules in **Settings > Network Access Rules**| |Network Access Rules: Edit|Grants permission to edit existing network access rules in **Settings > Network Access Rules**| |Network Access Rules: Delete|Grants permission to delete existing network access rules in **Settings > Network Access Rules**| ### Operations |Permission|Access Details| |--- |--- | |Operations: All Operations|Grants all permissions for job scheduler and **Rendition Status**| |Operations: All Operations Read|Grants read-only permissions all areas of the **Operations** tab| |Jobs: Read|Grants read-only access to **Operations > Job Definitions**| |Jobs: Create|Grants ability to create new job definitions| |Jobs: Edit|Grants ability to edit existing job definitions| |Jobs: Delete|Grants ability to delete job definitions| |Jobs: Interact|Grants ability to manage scheduled job instances (start, stop, cancel, etc.)| |Renditions: Read|Grants read-only access to **Operations > Rendition Status**| |SDK Job Queues: Read|Grants read-only permission to SDK job queues in **Operations > SDK Job Queues**| |SDK Job Queues: Create|Grants ability to create SDK job queues in **Operations > SDK Job Queues**| |SDK Job Queues: Edit|Grants ability to edit SDK job queues in **Operations > SDK Job Queues**| |SDK Job Queues: Delete|Grants ability to delete SDK job queues in **Operations > SDK Job Queues**| |Email Notifications: Read|Grants permission to view the **Operations > Email Notification Status** page and the **Admin > Operations > Email Suppression List** page| |Email Notifications: Delete|Grants the ability to delete a record from the Email Suppression list| ### Security |Permission|Access Details| |--- |--- | |Security: All Security Admin|Grants all 'Security' permissions; individual permissions are explained below.| |Security: All Security Admin Read|Grants all 'Read' permissions in 'Security'; individual permissions are explained below.| |Security Settings: Read|Grants read-only access to **Settings > Security Settings**| |Security Settings: Edit|Grants edit access to **Settings > Security Settings**| |Users: Read|Grants read-only access to **Users & Groups > Vault Users**| |Users: Create|Grants access to create new users or add users from another Vault from **Users & Groups > Vault Users**| |Users: Edit|Grants access to edit existing users from **Users & Groups > Vault Users**| |Users: Assign Group|Grants access to assign users to groups from **Users & Groups > Vault Users**| |Users: Grant Support Login|Grants permission to give Vault Support user account access for a specific user from **Users & Groups > Vault Users**| |Users: Delegate Admin|Grants permission to give delegate access to another user's account from **Users & Groups > Vault Users**| |Users: Add Cross-Domain Users|Grants permission to add cross-domain users from **Users & Groups > Vault Users**| |Users: Manage User Object|Grants ability to create, modify, and add User object records.| |Groups: Read|Grants read-only access to **Users & Groups > Groups**| |Groups: Create|Grants ability to create new groups from **Users & Groups > Groups**| |Groups: Edit|Grants ability to edit existing groups from **Users & Groups > Groups**| |Groups: Delete|Grants ability to delete existing groups from **Users & Groups > Groups**| |Groups: Assign Users|Grants ability to assign users to groups from **Users & Groups > Groups**| |Security Profiles: Read|Grants read-only access to **Configuration > Security Profiles**| |Security Profiles: Create|Grants ability to create new security profiles from **Configuration > Security Profiles**| |Security Profiles: Edit|Grants ability to edit existing security profiles from **Configuration > Security Profiles**| |Security Profiles: Delete|Grants ability to delete existing security profiles from **Configuration > Security Profiles**| |Security Profiles: Assign Users|Grants ability to assign users to a security profile from **Users & Groups > Security Profiles**. You must also have at least the same permissions as those associated with a security profile to assign users.| |Permission Sets: Read|Grants read-only access to **Configuration > Permission Sets**| |Permission Sets: Create|Grants ability to create new permission sets from **Configuration > Security Profiles**| |Permission Sets: Edit|Grants ability to edit existing permission sets from **Configuration > Security Profiles**| |Permission Sets: Delete|Grants ability to delete existing permission sets from **Configuration > Security Profiles**| ### About |Permission|Access Details| |--- |--- | |About: Vault Information: Read|Grants read-only permission to the **Admin > About > Vault Information** page| |About: Domain Information: Read|Grants read-only permission to the **Admin > About > Domain Information** page| ### Settings {#settings} |Permission|Access Details| |--- |--- | |Settings: All Settings Edit|Grants edit permissions for all pages in **Admin > Settings**| |Settings: All Settings Read|Grants read-only permission for all pages in **Admin > Settings**| |General Configuration: Read|Grants read-only permission to the **Settings > General Settings** page
Additionally grants read-only permission to the **Settings > Help Settings** page as well as feature enablement| |General Configuration: Edit|Grants edit permission to the **Settings > General Settings** page
Additionally grants edit permission to the **Settings > Help Settings** page as well as feature enablement| |Checkout: Read|Grants read-only permission to the **Settings > Checkout Settings** page| |Checkout: Edit|Grants edit permission to the **Settings > Checkout Settings** page| |Versioning: Read|Grants read-only permission to the **Settings > Versioning Settings** page| |Versioning: Edit|Grants edit permission to the **Settings > Versioning Settings** page| |Branding: Read|Grants read-only permission to the **Settings > Branding Settings** page| |Branding: Edit|Grants edit permission to the **Settings > Branding Settings** page| |Search: Read|Grants read-only permission to the **Settings > Search Settings** page| |Search: Edit|Grants edit permission to the **Settings > Search Settings** page| |Language: Read|Grants read-only permission to the **Settings > Language Settings** page| |Language: Edit|Grants edit permission to the **Settings > Language Settings** page| |Application: Read|Grants read-only permission to the **Settings > Application Settings** page| |Application: Edit|Grants edit permission to the **Settings > Application Settings** page| |Renditions: Read|Grants read-only permission to the **Settings > Rendition Settings** page| |Renditions: Edit|Grants edit permission to the **Settings > Rendition Settings** page| ### Deployment |Permission|Access Details| |--- |--- | |Migration Packages: Create|Grants ability to create new outbound Configuration Migration Packages from **Admin > Deployment**| |Migration Packages: Deploy|Grants ability to deploy Configuration Migration Packages from **Admin > Deployment**| |Environment: Vault Configuration Report |Grants ability to run a Vault Configuration Report from **Admin > Deployment**| |Environment: Vault Comparison|Grants ability to use Vault Compare from **Admin > Deployment**| |Sandbox: Read |Grants ability to view sandboxes in the **Admin > Deployment > Sandbox Vaults** page| |Sandbox: Create|Grants ability to create sandboxes in the **Admin > Deployment > Sandbox Vaults** page. Also grants the ability to build and promote a pre-production Vault to a production Vault.| |Sandbox: Edit |Grants ability to edit and refresh sandboxes in the **Admin > Deployment > Sandbox Vaults** page | |Sandbox: Delete|Grants ability to delete and refresh sandboxes in the **Admin > Deployment > Sandbox Vaults** page| ## Application Permissions {#applicationpermissions} Access to certain Vault-area functionality is controlled by permissions assigned via permission sets and security profiles. The sections below align with the headings in the **Application** tab of the **Permission Sets** page. There are three layers of security applied to actions. First, you must have a license type that allows the action. For example, the _Read-Only User_ license type does not allow access to reports. Second, you must have a permission set that grants the correct permission. For example, you would need the **Read Dashboards and Reports** permission to see any dashboard. Third, for document actions, you must have the correct document role-based permissions. For example, even with a permission set that grants the **Bulk Update** permission, you would also need the **Edit Fields** permission on any documents that you're attempting to update in order to perform a bulk document field edit. ### Vault Actions {#Vault_Actions}

Permission	Access Details
Vault Actions: All Vault Actions	Grants all 'Vault Actions' permissions; see details for individual permissions below.
Dashboards and Reports: All	Grants all 'Dashboard' permissions; see details for individual permissions below.
Dashboards and Reports: Read Dashboards and Reports	Grants permission to run any reports that other users have shared with you.
Dashboards and Reports: Create Dashboards	Grants permission to create new dashboards and to edit any dashboards that you created or to which other users have given you the Editor role.
Dashboards and Reports: Delete Dashboards	Grants permission to delete your own dashboards or dashboards to which other users have given you the Editor role.
Dashboards and Reports: Share Dashboards	Grants permission to use the Share action on dashboards that you created or to which other users have given you the Editor role.
Dashboards and Reports: Schedule Reports	Grants permission to use the Schedule action to schedule flash reports.
Dashboards and Reports: Administer Dashboards	Grants permission to view and edit all dashboards, including dashboards created by another user who has not shared them. With this permission, a user may share and delete other users' dashboards.
Dashboards and Reports: Display API Name Dashboards	Grants permission to view the API names of dashboards.
Dashboards and Reports: Read Group Membership	Grants permission to view reports that contain both users and groups.
Workflow: All Workflow	Grants all 'Workflow' permissions; see details below for individual permissions. This does not include 'Workflow Administration' permissions.
Workflow: Start	Grants permission to start workflows.
Workflow: Participate	Grants permission to participate in workflows. Also grants permission to use VQL to query workflow data. Learn more in the Developer Documentation.
Workflow: Read and Understand	Grants permission to participate in Read & Understood workflows.
Workflow: eSignature	Grants permission to provide an eSignature as part of a workflow.
Workflow: Query	Grants permission to use VQL to query workflow data. Learn more in the Developer Documentation.
Workflow Administration: All Workflow Admin	Grants all 'Workflow Administration' permissions; see details below for individual permissions. This does not include 'Workflow' permissions.
Workflow Administration: Cancel	Grants permission to cancel any active workflow or open task that you can see, even if you are not the workflow or task owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security.
Workflow Administration: View Active	Grants permission to view all active Read & Understood workflows on the document for non-current document versions in Quality Vaults, including those on which you are not a participant.
Workflow Administration: Reassign	Grants permission to reassign workflow tasks that are currently assigned to other users, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security.
Workflow Administration: Update Participants	Grants permission to add a participant to a workflow, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security.
Workflow Administration: Email Participants	Grants permission to email workflow participants, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security. Learn more about Managing Active Document Workflows or Managing Active Object Workflows.
Workflow Administration: Update Workflow Dates	Grants permission to update all workflow dates or specific task due dates, even if you are not the workflow owner. If your Vault uses Atomic Security for Active Workflow Actions, users must have both this permission and access through Atomic Security.
Workflow Administration: Replace Workflow Owner	Grants permission to replace the workflow owner on an active workflow.
API: All API	Grants all 'API' permissions; see details for individual permissions below.
API: Access API	Grants basic permission to complete a Vault API call and download files from file staging, and access to Vault Loader. Users must have both this permission and File Staging: Access to download files.
API: Events API	Grants access to the Events APIs, used in PromoMats Vaults with CLM integration.
API: Metadata API	Grants access to metadata APIs, including read and write access to MDL APIs.
API: Direct Data API	Grants access to the Direct Data API.
CrossLink: Create CrossLink	Grants ability to create a CrossLink document if this functionality is available on your Vault.
Viewer Administration: Manage Tags	Grants ability to manage annotation tags.
Viewer Administration: Merge Anchors	Grants ability to merge document link anchors.
Viewer Administration Remove Annotations	Grants ability to remove annotations brought forward from another version by a different user
Viewer Administration: Manage Anchors	Grants ability to bring forward anchors. Brought forward anchors have no inbound references. This permission also grants the ability to move and delete any anchor that does not have an inbound reference, and the ability to edit the name of any anchor.
Document: Cancel Checkout	Grants ability to cancel checkout (using the Undo Checkout action) for documents that another user has checked out. You must also have the Edit Document role-based permission for a document to perform this action. Document Owners can always cancel checkout if they have the Edit Document role-based permission.
Document: Download Document	Grants ability to download document source files. You must also have the appropriate role-based permissions for a document to perform this action. This permission does not control access to the Check Out action or the Export Binder action.
Document: Download Rendition	Grants ability to download document renditions, including Viewable Rendition and PDF with Annotations; without this permission, you also cannot use the Export Annotations action. You must also have the appropriate role-based permissions for a document to perform this action. This permission does not control access to the Export Binder action.
Document: Bulk Delete	Grants ability to perform bulk document deletion. You'll also need the correct document role-based permissions to delete a document.
Document: Bulk Update	Grants ability to perform bulk document updates. You'll also need the correct document role-based permissions to update a document.
Document: Always Allow Unclassified	Grants the ability to create unclassified documents even without document creation permission on any document type, except for users with the Read-only license type. Users with Create Document permission on any document types are automatically allowed to create unclassified documents, regardless of this permission.
Document: Vault File Manager	Grants ability to check out documents to Vault File Manager using the Check Out to File Manager action or Document Check Out bulk action.
Document: Download Non-Protected Rendition	Grants ability to download viewable renditions without any Vault-configured security settings or Vault protection applied.
Object: Bulk Action	Grants the ability to perform bulk object record updates. You'll also need the correct object role-based permissions to update an object record.
Object: Merge Records	Grants the ability to perform record merges. You'll also need the correct object role-based permissions to read, update, and delete the object records.
User: Allow As A Delegate	Grants the permission to allow a user to be selected as a delegate through the Delegated Access feature.
User: View User Information	Grants the ability to view the name and identifying information of other users in this Vault, use the Send as Link action, and view Timeline View and Sharing Settings information on the Doc Info page. Users without this permission may only see the names and identifying details of other users who share the same email domain. For example, Teresa, whose email is tibanez@veepharm.com can see the user information of all @veepharm.com users, but she can't see @medi-review.com users.
User: View User Profile	Grants users the ability to view their own user profile and see the User Profile option in their user dropdown menu.
Search: Manage Archives	Grants ability to manage search archives. This also grants the View Archive permission.
Search: Term Suggestions	Grants ability to see search term suggestions. Search term suggestions are not affected by any other permission. For example, a user will see a search term suggestion for "cholecap" even if they don't have access to the "Cholecap" Product.
Search: User Filters	Grants ability to see filters on user reference fields when searching for documents or object records, for example, Created By and Last Modified By. This setting is typically disabled for security profiles that apply to sponsors when a CRO wants to hide user information.
Search: View Archive	Grants ability to view documents in the archive. You'll also need the correct document role-based permissions.
Application: Send to CDN	Grants ability to send a document to CDN through a private API; this permission is only used by CRM's conversion tool for integrations and should not be applied to users.
Application: Approved Email	Grants ability to use the Create Email Fragment.
Application: Multichannel Loader	Ability to access the CRM Publishing and Multichannel Loader tabs; by default, this permission is only granted to users with the standard System Admin or Vault Owner security profiles.
Views: Share Views	Grants ability to share custom views with other users.
Views: Make Mandatory	Grants ability to: Add a custom view to other users' sidebar and make it non-removable Modify any other mandatory view Delete other users' mandatory views Select custom view icons Delete system-owned views created through cloning (where applicable)
Audit Trail: View	Grants ability to access the Audit Trail option for individual documents and object records through the All Actions menu. You must also have the appropriate role-based permissions to perform this action.
Audit Trail: Export	Grants ability to export a document or object record audit trail. You must also have the Audit Trail > View permission before you can export.
File Staging: Access	Grants ability to connect to file staging and download files extracted using Vault Loader (document source files and renditions). This permission does not grant the ability to upload files to the server or view directories created by other users. Users must have both this permission and API: Access API to download files.
File Staging: Access via Vault File Manager	Grants ability to connect to file staging and upload files and folders using Vault File Manager. This permission does not grant the ability to upload files to the server or view directories created by other users.
File Staging: Access Root Folder	Grants ability to access the file staging server's root folder. By default, this permission is enabled in the standard Vault Owner and System Administrator permission sets.
EDL Matching: Run	Ability to access the Start Now action on scheduled batch matching job or the Match Documents action on an individual EDL item
EDL Matching: Edit Match Fields	Ability to edit the EDL Matching Field picklist on an EDL record
EDL Matching: Edit Document Matches	Ability to lock the document version matched with an EDL Item record, exclude or include matched documents in summary fields, and manually match/unmatch documents from an EDL Item
Create Button: Show Create Button	Ability to see the Create button on all tabs. This option is turned on by default on all existing standard and custom permission sets and turned off by default on all new custom permission sets.

### Vault Owner Actions {#vault-owner-actions} These permissions control actions that are available to users with the standard _Vault Owner_ security profile. |Permission|Access Details| |--- |--- | |Vault Owner Actions: Re-render|Grants ability to save page rotations, re-render a document that already has a viewable rendition, and delete a viewable rendition; see related article.| |Vault Owner Actions: Power Delete|Grants ability to delete documents that otherwise could not be deleted, for example, documents in steady state; see related article.| |Vault Owner Actions: Vault Loader|Grants ability to see and use the _Loader_ tab. Users must have both this permission and _Application: API: Access API_ to download files.| |Vault Owner Actions Record Migration|Grants ability to load object records (through Vault Loader or Vault API only) in a lifecycle state other than _Starting State_.| |Vault Owner Actions: Document Migration|Grants ability to apply Document Migration Mode only to a batch of new documents upon creation through Vault Loader or Vault API; see related article.| |All Documents: All Document Actions|Grants all permissions in 'All Documents'; see details for individual permissions below.| |All Documents: All Document Read|Grants view access to all documents, regardless of the document's Sharing Settings.| |All Documents: All Document Create|Grants access to create documents or binders for any document type, regardless of document type **Create** settings| |All Object Records: All Object Records Actions|Grants access to all permissions in 'All Object Records'; see details for individual permissions below.| |All Object Records: All Object Record Read|Grants view access to all object records, regardless of the record's Sharing Settings.| |All Object Records: All Object Record Edit|Grants edit access (same as Owner role) to all object records, regardless of the record's Sharing Settings.| |All Object Records: All Object Record Delete|Grants delete access to all object records, regardless of the record's Sharing Settings.| |Legal Hold: Apply|Grants ability to apply/edit a legal hold to a single document or as a bulk action.| |Legal Hold: Remove|Grants ability to remove a legal hold from a single document or as a bulk action.| |Connections: Manage Connections|Grants the ability to view and manage connections in the **Connections** tab in Vault Admin.| |Integrations: Manage Integrations|Grants the ability to view and manage integration configuration such as user exception messages, integration rules, and Spark message processors in the **Connections** tab in Vault Admin.| ## Object Permissions {#objectpermissions} From the **Objects** tab, you can assign permission to view, create, edit, and delete object records at the object level. For example, a user could have full permissions to _Study Site_ object records, **Edit** permission to _Study_ records, **Read** access to _Product_ records, and no access to _Country_ records. From this tab, you can also set up field-level security, action-level security, and [object control-level security][1] on objects. For each object, you can grant or remove the following permissions: * **Read**: Allows you to view records for the object; see [details][0] * **Create**: Allows you to create new object record or to copy an existing record; allows you to access **Business Admin > Objects**. With this permission, Vault automatically grants **Edit** permission. * **Edit**: Allows you to edit an existing object record, including adding/deleting/versioning attachments; allows you to access **Business Admin > Objects** * **Delete**: Allows you to delete an existing object record Granting these permissions for **All Objects** means that the permission set will automatically include the permissions for any object created in the future. ### Object Control Permissions {#object-control-permissions} You can also modify permissions for object controls from the **Objects** tab. Object controls are used to control whether users are able to view certain UI elements. Object controls associated with a given object or available to all objects appear under the _Object Control Permissions_ heading. Unlike object fields or actions, the only permission that you can assign for object controls is **View**. You can assign this permission on a single control or select **All Object Controls**. If the object control is associated with an object type, you can only grant _View_ permissions across all object types. You cannot grant _View_ permissions per control per object type. ### Dynamic Access Control Dynamic Access Control interacts with these settings to prevent users from viewing, editing, or deleting specific object records. If an object uses DAC, users must have both the appropriate permission through their security profile and access through the individual object record's sharing settings. When creating a record, Vault only considers the user's permission sets. ## Tab Permissions {#tab-permissions} From the **Tabs** section, you can control what tabs and tab collections a user can view. All standard tabs, custom tabs, and custom tab collections can be configured here. By default, users with the **View** permission on **All** tabs can view newly created tabs, and users with the **View** permission on **All Tab Collections** can view newly created tab collections. ### About the Read Permission {#object_read} Users must have the **Read** permission on an object to: * View a custom object tab * View an object tab in **Business Admin** * See object record details in a hovercard * Select an object record when editing document or object fields * Create a report using a report type that includes the object * View results for a report using a report type that includes the object Users without this permission can still view object record labels throughout Vault. For example, they can still search for documents using object fields for an object they cannot view. ## Pages Permissions From the **Pages** section, you can control which application-specific _Pages_ a user can access. ## Mobile Permissions From the **Mobile** section, you can control which tabs a user can view in Veeva Vault Mobile. ## API Permissions From the API section, you can see which Web API Groups a user can access. Learn more about Web APIs in the Vault Java SDK documentation. ## Hidden or Missing Permissions When you open a permission set, some of the permissions listed above will not appear. If a permission does not appear: * The permission is specific to another Vault application or another application family. For example, the permission is specific to RIM and you are in a Clinical Operations Vault. * The permission is related to a feature that is not enabled on your Vault. Sometimes, permissions are hidden when the related feature is not enabled. [0]: #object_read [1]: #object-control-permissions