Managing Internal Users | Veeva Vault Help

Creating and assigning internal users grants them permissions to access and manage eCOA Vault data and eCOA functionality.

Understanding Permissions

User permissions consist of the security profile, add-on user role (if applicable), and study-specific application roles (if applicable).

Security profiles: These profiles are assigned to the user when they are created in the Vault and are the potential set of actions a user can do in the Vault. This, combined with the user application role, determines the user’s complete permissions.
- A user can only have one security profile.
User role: These roles are assigned as add-on roles for users with any security profile. Currently only one (1) add-on user role is available for Library Managers.
Application role: These roles are intended to map to real-world study roles. The combination of the security profile and application role determines what a user is able to do for that study.
- A user can be assigned to multiple studies with different application roles for each study.
- This is sometimes referred to as the study role.

Security Profiles

The following security profiles are available for the eCOA Vault. See an overview of the permissions the profiles grant below, or view the User Permissions Matrix section for specific details about what each security profile enables

Vault Owner: This security profile enables full management access to all Vault records and settings. Veeva recommends assigning only one Vault Owner for each Vault.
System Administrator: This security profile enables full management access to all Vault records and settings, including the ability to add a new user to the Vault.
Clinical Administrator: This security profile enables users to complete administrative tasks, such as managing studies and study users, for all studies. When combined with an appropriate application role for a study, users with this profile can also access Studio and Study Home.
Study Team User: This security profile enables users to complete study-related tasks only for the study that the user is assigned to and based on the assigned application role. Examples of tasks include managing the study, assigning users to the study, and accessing Studio and Study Home.
Read-Only User: This security profile enables read-only access to view study- and user-related information only for the study that the user is assigned to. When combined with an appropriate application role, users with this profile can also access Study Home.

User Roles

Add-on user roles are granted to users to extend their security profile permissions. The following user role is available:

Library Manager: This user role enables users to view and access the Library Manager and perform all actions to manage library surveys.

Study-Level Application Roles

Application roles are intended to map to real-world study roles. The following roles are available:

Data Manager
Lead Data Manager
Monitor
Study Manager
Study Viewer
Study Builder
- If a user with a Study Team User security profile creates a study, they are automatically assigned to the study as a Study Builder.

The application roles you assign to users also determine what tools and actions they can access. See the User Permission Matrix section below for information on which roles can access Study Home, Studio, and study locking workflows.

User Permissions Matrix

The following matrix shows the specific permissions granted by each Security Profile and Application Role combination:

User Setup		Vault Permissions		Permissions on Assigned Study							Additional Information
Security Profile	Application Role on Study	Manage Vault Users	Access Vault Reports	Manage Study Users ¹	Manage Study	Manage Study Country	Manage Site	Access Studio	Access Study Home	Lock and Unlock Sites and Studies	Notes
Vault Owner	Not applicable	Yes	Edit	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Users with the Vault Owner security profile have all permissions on all studies.
System Administrator	Not applicable	Yes	Edit	Yes	Yes	Yes	Yes	No	No	No	None
Clinical Administrator	If not assigned to study	No	Edit	Yes	Yes	Yes	Yes	No	No	No	This is the typical configuration for a central administration function.
	Data Manager Monitor Study Manager	No	Edit	Yes	Yes	Yes	Yes	No	Yes	No	None
	Study Viewer	No	Edit	Yes	Yes	Yes	Yes	No	Yes	No	We do not recommend this combination because a clinical administrator will always be able to manage study country and site, which is more permission than a study viewer is expected to have.
	Lead Data Manager	No	Edit	Yes	Yes	Yes	Yes	No	Yes	Yes	None
	Study Builder	No	Edit	Yes	Yes	Yes	Yes	Yes	No	Yes	None
Study Team User	If not assigned to study	No	View/Run	No	No	No	No	No	No	No	A user with the Read-only User security profile has no permissions on this study until assigned to an application role.
	Data Manager	No	View/Run	Yes	No	No	No	No	Yes	No	None
	Lead Data Manager	No	View/Run	Yes	No	No	No	No	Yes	Yes	None
	Monitor	No	View/Run	Yes	Yes	Yes	Yes	No	Yes	No	None
	Study Builder	No	View/Run	Yes	Yes	No	No	Yes	No	Yes	None
	Study Manager	No	View/Run	Yes	Yes	Yes	Yes	No	Yes	No	None
	Study Viewer	No	View/Run	No	No	No	No	No	Yes	No	None
Read-only User	If not assigned to study	No	View/Run	No	No	No	No	No	No	No	A user with the Read-only User security profile has no permissions on this study until assigned to an application role.
	Data Manager Monitor Study Manager Study Viewer Lead Data Manager	No	View/Run	No	No	No	No	No	Yes	No	None
	Study Builder	No	View/Run	No	No	No	No	No	No	No	We do not recommend this combination because a user with the Read-only User security profile cannot access Studio.

Note: The Library Manager user role can be added to any user to enable them to manage surveys saved in Library Manager.

Creating a New User

Only Vault Owners and System Administrators can create new users. See How to Create New User Accounts on the Creating & Managing Users page for more information.

Assigning a User to a Study

Ensure that the user already exists in Vault.
Assign them to the study they are working on by creating an Internal Person record for that study and selecting the appropriate Application Role.
If the study has restricted data, ensure that you select the Access Restricted Data check box for any user who should be able to see the survey data that is restricted. If you select an incorrect value, you will need to inactivate the record and create a new one.

Note: Users with certain security profiles can create studies. When a user creates a study, they’re automatically added as an Internal Person with the Study Builder application role. If they need a different role, they must inactivate their Study Builder record and assign themselves to the new role.

Looking for site user assignment information? See Creating and Assigning Site Users.

Edit Restricted Data Access

You must inactivate an internal person record and create a new one any time you want to change their access status. This functionality ensures that the User Access report can accurately record the beginning and end of each user’s restriction access.

Inactivate Internal Users

To remove an internal user’s access to the study, select Change State to Inactive from the actions menu of the internal personnel record.

Assigning an Add-On User Role

Only Vault Owners and System Administrators can assign user roles.

Go to the user on the Users & Groups page.
Go to the User Roles section.
Select Add.
Select the user role, for example, Library Manager.
Select OK.

Removing an Add-On User Role

Only Vault Owners and System Administrators can remove user roles.

Go to the user on the Users & Groups page.
Go to the User Roles section.
Select the name of the Library Manager role.
Select Edit.
Change the Status to Inactive.
Select Save.

Limitations

Delegate access is not supported in eCOA Vault.

Footnotes

1: Study users can be internal or site users. Internal users are Sponsor or CRO users that will have access to the study. Site users are granted access to study sites.