# Creating & Managing Users This article explains how to manage user accounts in a Vault from the **Admin > Users & Groups > Vault Users** page with the _User_ object. Managing users with the flexibility of Vault [object record layouts](/en/lr/26387/) allows you to create reports based on user data, create custom fields, configure field-level security, reference users directly from documents with lookup fields, inline edit from _User_ record list pages, [download](/en/lr/44069/#download-as-pdf) _User_ records to PDF, and more. User accounts exist at the domain level, so in multi-Vault domains, user details are shared across Vaults.
## About the User & Person Objects The _User_ object contains a record for each existing member of your Vault, while the _Person_ object allows you to add individuals who aren't domain users to your Vault. See [About the User & Person Objects](/en/lr/46534/) for more details about these objects, the _Vault Membership_ lifecycle, and more.
## Accessing User Management To access the user administration area, navigate to **Admin > Users & Groups > Vault Users**. You can also access the _User_ object record list page from **Business Admin > Objects > Users** or a custom _User_ object tab, if available. [Domain Admins](/en/lr/15127/) have additional options when managing users. ## System Managed Users {#System_Owned_Users} Vault uses System Managed User accounts to execute various actions and processes. These user accounts are read-only and are not included in license counts. System Managed Users vary by application and may include: * _System_ * _Application Owner_ * _Java SDK Service Account_ * _MyVeeva Integration User_ * _Clinical Survey Respondent_ * _Clinical Transfer_ System Managed Users have the following user object field settings: * **System Owned User**:_Yes_ * **Email**: no-reply@veeva.com * **Security Policy**: _System Managed_ System Managed Users do not appear in picklists when selecting users for data entry purposes (documents, object records, configurations) such as selecting users on a user object reference field, or manually assigning a user into a role for a document or object. However, when selecting users for search or filtering purposes, System Managed Users are included. For example, System Managed Users appear in picklists when filtering audit log entries by user, when using filters or conditional filters on Vault Reports, or when selecting users while searching for documents or object records (such as filtering on the _Created by_ field). ## Understanding Vault User Name & Email Address {#username} In Vault, all user names include the domain name your company uses for its Vaults. The user name format is _username@domainname_, for example, _bruce.ashton@veevapharm.com_. Although the user name has the same format as an email address, Vault does not send email notifications to the user name. Vault only sends email notifications to the address in the _Email_ field. ## How to Create New User Accounts {#CreatingANewUserAccount} To create a new user account: 1. From the **Vault Users** page, click **Create**. 2. Select an existing **Domain User**. If a domain user doesn't exist, select **Create Domain User** from the drop-down and fill in the required fields in the dialog. 3. Fill in the basic user information: **First Name**, **Last Name**, **User Name**, **Email**. 4. Fill in the user's contact information such as **Company**, **Title**, and more. Asterisks indicate required fields. 5. Select a [**Locale**](/en/lr/16678/#locales) and [**Language**](/en/lr/16678/) for the user. These options control localization options for the user (number and date formats and label language, respectively). Duplicate locales are appended with the language they correspond to, such as _Canada (English)_, _Canada (French)_, _Hong Kong (Chinese Simplified)_, and _Hong Kong (Chinese Traditional)_. 6. Select a **Timezone** for the user. Vault stores time and date information in UTC (Coordinated Universal Time), but displays that information to users in their time zones. 7. Optional: In the **Edit Localized Labels** field, select a language to allow the user to view and modify localized labels alongside labels in the Vault's base language. This field is only available when [multilingual labels](/en/lr/13309/) are enabled in your Vault. 8. Configure the [user account activation][7], if needed. 9. Select a [**License Type**, and **Security Profile**](/en/lr/5721/). If the _License Type_ field is not visible, manage application-specific licensing from the _Application Licensing_ section in step 11. If your domain includes multiple Vaults, Vault checks to see if the user name exists in another Vault and auto-fills some fields based on the existing user information. 10. Optional: Configure the user's [Email Preferences][8]. 11. Optional: Select a license value for each application underneath the [_Application Licensing_](/en/lr/5721/#application-license) section. You must select a license value for at least one application. Some license values may be unavailable depending on the application. 12. Set any [optional fields][8] as needed. 13. Click **Save**. New users are active immediately unless you selected a later activation date. Vault requires them to update their password the first time they log in. When new [supported languages](/en/lr/16678/) are introduced, they are available in Limited Release Vaults before they are supported in General Release Vaults. If a user has access to both Limited Release and General Release Vaults and you set the _Language_ field to a language that is only available for Limited Release, they will see some errors in the General Release Vault. To fix this, select a language that is supported in both Vaults.
### How to Manage User Account Activation {#user-account-activation} You can configure these settings as needed when you add a new user: Activation Date : If you select a future activation date, the user will stay in the _Pending_ state until the selected date, when the user will be automatically activated. Vault runs the _User Account Activation_ job daily to activate any users who are scheduled to be activated on that date. Send Welcome Email on Activation Date : If this checkbox is selected, Vault will automatically send a welcome email on the user's activation date. If you clear this checkbox, the user will not receive a welcome email. If a user has never logged into Vault and their account has been deactivated and reactivated again at a later point, the user will automatically receive a welcome email upon reactivation.
### Optional Settings {#optional-fields} You can configure these settings as needed when you create a new user or edit an existing one: Image : Click the **Pencil** icon to assign a user profile image. Profile images display throughout the application and are visible to other users. Image files must be in JPG, PNG, BMP, or GIF format and less than 10MB. Preferred Tab Collection : You can configure Vault to open in any [custom tab collection](/en/lr/542174/) when a user logs into Vault. Layout Profile : Assign a layout profile to the user. You can select only active layout profiles. Once assigned, the user will have access to any layouts on the profile when viewing object records. If no layout profile is assigned, they will see the default layout. Federated ID : Enter a Federated ID to associate the user with an external user ID for Single Sign-on or other system integration purposes. Security Policy : Select a [**Security Policy**](/en/lr/1985/). This controls password requirements for the user. Salesforce Username : Enter a **Salesforce Username** to associate the user with a salesforce.com or Veeva CRM user account for [delegated authentication](/en/lr/9594/). This option will only be available if the selected security policy allows login via salesforce.com. If you leave **Salesforce Username** blank, Vault will assume that the Vault user name and Salesforce user name are the same. Email Preferences : Select checkboxes to opt users in or out of specific Vault notification emails, including **System Maintenance Availability**, **Product Announcements**, favorite document notifications, and more.
## How to Edit User Accounts {#MaintainingUserProfileInformation} From the _User_ record, you can update the user's profile information, such as the title and company. When editing a user's profile information, Vault syncs any updated information with the Domain User account fields. If you edit a _Person_ record related to a _User_ record, Vault automatically updates both the _User_ record and the Domain User.
To edit a _User_ record: 1. From the **Vault Users** page or a list of _User_ records, open a _User_ record details page. 2. Click **Edit** and modify any information as needed. 3. Click **Save** when finished. On save, Vault synchronizes and populates any modified shared fields for the domain user. ### Editing a Profile Image You can edit the profile image from the _User_ record details page: 1. From the _User_ record, click **Edit**. 2. Click the **Edit** icon above the current image. 3. In the **User Profile** dialog, select **Upload an image**. 4. Click **Choose** and select a picture from your computer. You can also choose to remove the profile picture by selecting **Use default image**. 5. Click **OK**. ### Editing a User Name You can update the profile user name in the _User Name_ field. _User Name_ is a multi-part field, meaning you can edit the user name but not the domain to which the user belongs. For example, for the username "johndoe@domain.com", you can edit the prefix of "johndoe", but you cannot edit the "@domain.com". ## How to Set the User Landing Tab {#Landing_Tabs} You can configure the first tab a user sees after logging into Vault. To change a user's default landing tab: 1. Navigate to **Admin > Users & Groups > Vault Users**. 2. Ensure the _Landing Tab_ column shows in the user list. If necessary, add the column to the grid. 3. From the user list, double-click into the **Landing Tab** field for the appropriate user to edit the field in-line. 4. Select a tab by choosing one from the list, typing the tab name, or clicking the **binoculars** icon for advanced search and filter options. Depending on reference constraints configured on the _Landing Tab_ field, you may be able to select a sub-tab as the user's landing tab. You cannot select an Admin tab or an individual dashboard tab as the landing tab. If both a landing tab and a preferred tab collection are configured for a user, and the landing tab is not part of the user's preferred tab collection, Vault displays the landing tab and populates the primary navigation bar with the preferred tab collection. ## How to Create a Cross-Domain User To create a cross-domain user: 1. Navigate to **Admin > Users & Groups > Vault Users**. 2. Click the **Actions** menu and select **Create Cross Domain User**. 3. In the dialog, enter the **User Name** and select a **Security Profile** and **License Type**. 4. Click **Save**. Vault creates a cross domain user. ## How to Edit Vault Membership {#DisablingAUserAccount} Deactivating users prevents them from accessing Vault but does not remove the user account from the system. You cannot delete _User_ records, but you can make a user inactive. To make a user inactive, select **Make User Inactive** from the record's **Actions** menu. See details about the [Vault Membership Lifecycle](/en/lr/46534/#lifecycle). ## How to Reset User Passwords {#ResettingAUserPassword} To reset a single user's password: 1. From the **Vault Users** page or another list of _User_ records, open a single _User_ record details page. 2. Select **Reset Password** from the **Actions** menu. This option is available for all _Active_ users. 3. Vault sets a temporary password and sends an email notification to the user. To reset all user passwords: 1. Navigate to **Admin > Settings > Security Policies**. 2. Click **Reset All Passwords**. 3. Click **Continue** in the confirmation dialog.
## How to Resend Welcome Emails To resend a welcome email: 1. From the **Vault Users** page or another list of _User_ records, click to open a single _User_ record details page. 2. Select **Resend Welcome Email** from the **Actions** menu. This option is available for all _Active_ users. 3. Vault resends the welcome email with login instructions to the user. ## How to Force Update Security Questions To force a user to update their security question, select **Force Update to Security Question** from the **Actions** menu on a _User_ record. This option is available for all _Active_ users. The next time the user logs in, Vault prompts her to update her security question. You only see this option if your [password security policy](/en/lr/1985/) requires a security question on password reset. ## How to Edit Users' Group Membership From the _User_ record, scroll to the **Groups** section to see the groups to which the user belongs. You can search and filter within the section to find a specific group. To update the user's group membership, click **Edit Membership**. In the dialog, select checkboxes to add the user to groups or clear checkboxes to remove the user. Click **Close** to save your changes. ## How to Delegate Users' Account Access {#delegate-access-for-users} You can use the [Delegated Access](/en/lr/15015/) feature to grant a user access to another user's account. For example, if Thomas leaves work without first delegating his account access, you could delegate Thomas' account access to another user, Gladys. To delegate a user's account access to another user: 1. Open the _User_ record. For example, open Thomas' profile to give Gladys access to his account. 2. Navigate to the **Delegate Access** section. 3. Click **Create User** to delegate a user. 4. In the **Delegates** field, select the user(s) to whom you want to grant access. See details about [delegate requirements][15] below. 5. Select a **Start Date**. 6. In the **End Date** field, select an end date or select **Never**. If you select an end date, Vault automatically revokes access on that date. With either option, you can return to the _User_ record and manually revoke access. 7. Click **Grant Access**. If the **Grant Access** button is inactive, a warning appears under the **Delegates** field to inform you that one or more selected users no longer have delegate permissions. This may occur rarely when delegate selection optimization is in progress. ### Delegate Requirements {#Requirements} * Each user account can be delegated to up to 25 users. * A single user cannot have delegated access in more than 100 user accounts on a single Vault at a time. * Users without the _Allow as a Delegate_ permission cannot be selected as delegates. ### Revoking Access To revoke access, return to the _User_ record and navigate to the **Delegate Access** section. Select **Revoke Access** from the delegate's **Actions** menu. You can also click **Edit** from the delegate's **Actions** menu to modify the delegate user, start date, or end date. ### Managing Delegates Admins can view, edit, and create new delegates from **Admin > Users & Groups > Active Delegations**. Click the delegate's **Actions** menu to **Edit** or **Revoke Access** to a specific delegation, and click the blue create user button to add a new delegate to this Vault. Clicking a user's name will bring you to their _User_ record details page. A banner displays on the **Active Delegations** page when delegate selection optimization is in progress. This occurs automatically when the _Allow as a Delegate_ permission is assigned to or removed from users, and it optimizes the selection of delegates when creating new delegations. Because delegation is Vault-specific, only delegations in the current Vault are accessible. ### Enabling Delegated Access {#enabling-delegated-access} To enable delegation, navigate to **Admin > Settings > General Settings** and select the **Enable Vault Level Delegate Access** checkbox. Turning on this setting automatically turns on the **Allow non-Admin users to delegate access to their own accounts** setting, which allows users the ability to delegate their account through their user profile. If an organization needs to prevent users from delegating their own accounts, an Admin can turn off the setting. Selecting **Enable Vault Level Delegate Access** also enables the **Enforce strict delegation controls for Delegate Admin Users** setting. When enabled, Delegate Admins cannot create a delegation for a user with more permissions than themselves. For example, say John and Jane have the same Security Profile, but Jane is also assigned a user role that grants her permissions that John cannot access. If this setting is enabled and John attempts to create a delegation that allows Amy to act on behalf of Jane, Vault blocks the delegation. This error also occurs if John attempts to edit or revoke an existing delegation where a user has more permissions than his own. This setting does not apply when adding delegates from the [user profile page](/en/lr/15015/). Because these settings are Vault-specific, Admins must turn them on or off for each Vault.
### Log In As a User {#log-in-as} If _Enable Vault Level Delegate Access_ and _Enforce strict delegation controls for Delegate Admin Users_ are enabled, Delegate Admins can log into a user's account directly from a _User_ record detail page or list view. This function allows Delegate Admins to bypass the need to [create a delegate user and grant themselves access][19] when they need to delegate a user account to themselves. To log in to a delegate user account: 1. Navigate to a _User_ record detail page or list view. 2. Select **Actions** > **Log in as**. 3. Optional: Change the **Delegation end date** in the **Log in As** dialog. If you are initiating a new delegation, the end date is defaulted to seven days after the current date and an _Active Delegation_ record is created. If an _Active Delegation_ record exists for the selected user and Delegate Admin, Vault uses the start and end date on that record. If no end date exists on the _Active Delegation_ record, the _Delegation end date_ defaults to 365 days from the current date. The _Delegation end date_ for active and new delegations cannot exceed 365 days from the current date. 4. Click **Log In As**. The selected user account is now delegated to you and a delegate session is initiated. An _Active Delegation_ record is created if one does not already exist for the user account. If _Delegate access allowed only among group members_ is enabled, ensure to appropriately add Delegate Admins to the group. Otherwise, Delegate Admins may not consistently see the _Log in as_ action on _User_ records.
## Document Inbox Sharing From the _User_ record, you can manage [document inbox sharing](/en/lr/71099/). To add a user or group as an _Inbox Editor_: 1. From the _Document Inbox Sharing_ section of the _User_ object details page, click **Create**. 2. Add one or more users or groups in the **Users and Groups** box. 3. Select a value for the **Locked** field. Selecting _Yes_ for this field prevents the user from removing these document inbox sharing settings from their _Document Inbox_ page. 4. Click **Save**. If the _Share Inbox Document_ object is visible in **Business Admin > Objects**, you can also navigate there to perform bulk actions, search, or use Vault Loader to create records. ## Viewing Security Overrides {#viewing} From the _User_ record, you can view the **Security Overrides** section. This section displays any [field-level security](/en/lr/2942/) overrides applied to the user or groups to which the user belongs. ## How to Grant Access to Veeva Support On the _User_ record details page, you can grant Vault Support access to a specific user's account from the **Veeva Support** section. See [Granting Access to Veeva Support](/en/lr/1993/) for details. ## Working in the User Grid On the **Vault Users** page, the **Actions** menu offers options for working with users and editing how data appears: Bulk Actions : Allows you to perform bulk actions on all users or the users on the current page. Export : Export the user list to CSV or Excel. See [details][18] below. Edit Columns : Allows you to make the most frequently referenced fields on user accounts visible without opening the user detail page and also controls which fields are included when you export the user list. Truncate Cell Text/Wrap Cell Text : Lets you toggle between truncating (showing only the first part of the value) and wrapping (showing any characters that don't fit on a second line) text that is too big to fit in its column. Inline Editing : Allows you to update field values from the Vault Users page or another list of _User_ records. These options are available from wherever you view a list of _User_ records. When you use these options to customize how your data displays, the changes do not affect other users. Vault remembers your last selections and reapplies them when you return to the page. ### How to Export the User List {#export-user-list} From the **Users** page, open the **Actions** menu and select **Export to CSV** or **Export to Text**. This action exports the user list that you are currently viewing, ignoring pagination. For example, if you are viewing only active users in the current Vault, the export will not include inactive users or users from another Vault. However, the export will include all "pages" of users, even if your current view limits you to 25 per page. The exported file only includes the visible columns, so you may want to edit columns before exporting. CSV is only available if your Vault does not use localization settings, and Text is only available if it does.
## Filtering by Vault Membership Lifecycle State On the **Vault Users** page, you can use the drop-down next to the search box to filter the list of users in your Vault. You can select _Active Users_, _Inactive Users_, _Pending Users_, or _All Users_. Vault always defaults to show active users. ## User Search When you search for users on the **Vault Users** page, Vault executes a "begins with" search on all available fields on the _User_ object. If you search for "thom," Vault would find "Thomas Chung" and "Ella Thomason," but a search for "hom" would not find either of these users. Vault doesn't return results when you search on only the letters "V" or "M". _User_ object fields you do not have access to are excluded from the search results. When you search for users on the **Vault Users** page and [export the list of users][18], the export only includes users where the search term matches a value in the _Name_ column. If the search returns results that match on other columns, those results do not appear in the export. ## Assigning Security Profiles & User Roles When you assign [security profiles](/en/lr/23647/) or [user roles](/en/lr/69197/) to users, or update domain level attributes, such as the _First Name_, _Last Name_, or _Email_ directly on the _User_ object, Vault checks to see if you have all of the permissions included in the security profile or role you're assigning. These validations are performed in cases where updates are made directly to the _User_ object in addition to indirect updates made to the _Person_ object that maps to a protected field on the _User_ object. Vault does not allow you to assign a profile or role that includes permissions which you do not have. When assigning administrator profiles or roles, it can be helpful to have users separated by the duties they are expected to perform. For example, by assigning a _System Administrator_ security profile to a user that creates, edits, or otherwise manages permission sets, while assigning another security profile, _User Administrator_, to users that assign security profiles or role permissions, without needing to interact directly with permission sets. ## How to Configure the User Object Layout {#page-layout} The [object record layouts](/en/lr/26387/) for the _User_ object is the same when you access users from **Admin > Users & Groups > Vault Users**, from **Business Admin > Objects > Users**, or from a custom _User_ object tab. The order of fields and sections may be different from the legacy **User** page. While _Groups_, _Delegate Access_, and _Veeva Support_ sections may be available on the _User_ object layout, only Admins with the appropriate permissions can see these sections. In order for Admins to be able to create and edit users with the _User_ object, you need to update the _User_ object layout to include the following fields: * _First Name_ (`first_name__sys`) * _Last Name_ (`last_name__sys`) * _Email_ (`email__sys`) * _User Name_ (`username__sys`) * _Language_ (`language__sys`) * _Locale_ (`locale__sys`) * _Timezone_ (`timezone__sys`) * _Security Profile_ (`security_profile__sys`) * _License Type_ (`license_type__sys`) * _Domain Admin_ (`domain_admin__sys`) * _Security Policy_ (`security_policy__sys`) * _Federated ID_ (`federated_id__sys`) * _Landing Tab_ (`landing_tab__sys`) * _Activation Date_ (`activation_date__sys`); this field is required in order to create [pending users][7] * Any application license fields, for example, _Quality: QMS_ (`license_qualityqms__sys`) After adding these fields, you should also configure [field-level security](/en/lr/39108/) to either hide them or make them read-only for end users. You should keep all required fields visible when making updates to the _User_ object page layout. ### Standard User Object Layout {#standard-user-object-layout} The _User_ object also contains a _Standard User Detail Page Layout_, which organizes the _User_ object record layouts into [pages](/en/lr/26387/#pages) and [layout rules](/en/lr/51632/). You can use the [_Save As_](/en/lr/26387/#save-as-layout) function to make a copy of the _Standard User Detail Page Layout_ and modify it as needed. ### Mobile App Registrations _Mobile App Registrations_ allow Vault to send push notifications to a device with a Vault mobile application. By default, the _Mobile App Registrations_ section is displayed on the User object page layout. This section allows Admins to [manage registrations](/en/lr/7239/#mobile-app-registrations) from the _User_ object record page. To hide it, remove the _Mobile App Registrations_ section from the User object page layout. ### Configuring the Landing Tab Field By default, the _Landing Tab_ field includes a [reference constraint](/en/lr/75340/) that prevents Admins from selecting sub-tabs when assigning a landing tab. You can edit or remove the existing constraint to meet your organization's business needs. For example, removing the constraint allows Admins to select sub-tabs as default landing tabs. ### Configuring Document Inbox Sharing Related Object Section By default, the _Document Inbox Sharing_ related object section appears on the _User_ object page layout, but an Admin can remove it if necessary. ## Related Permissions The following permissions control your ability to create and manage users with the _User_ object: ### Security Profile Admin: Users: Manage User Object : Ability to create and modify _User_ object records. This permission also controls Vault's ability to synchronize updates to _User_ records with domain user fields. It also controls whether Vault displays the _Mobile App Registrations_ section, if enabled. Admin: Users: Read : Ability to see the **Security Overrides** section on the _User_ object page layout. Admin: Users: Assign Group : Ability to see the **Groups** section on the _User_ object page layout and assign a user to groups from the _User_ record. Admin: User: Grant Login Support : Ability to give Vault Support user account access for a specific user from **Users & Groups > Vault Users**. Admin: Users: Delegate Admin : Ability to see the **Delegate Access** section on the _User_ object page layout and give delegate access to another user's account from the User record. On multi-Vault domains, you must have this permission in each Vault to which the user has access. Admin: Users: Add Cross-Domain Users : Ability to add cross-domain users from **Users & Groups > Vault Users**. Admin: Object: Media: Read : Ability for users to view the profile image on _User_ and _Person_ object records. ### Object Objects: User Role: Read, Create, Edit, and Delete : Ability to add, edit, or remove _User Roles_ on a _User_ object record. Objects: Share Inbox Documents: Read, Create, Edit, and Delete : Ability to add, edit, or remove _Share Inbox Documents_ records on a _User_ object record. [7]: #user-account-activation [8]: #optional-fields [15]: #Requirements [18]: #export-user-list [19]: #delegate-access-for-users [20]: #enabling-delegated-access