Administrators can apply field-level access for specific users or user groups. When a field is restricted, it is no longer available in the Network UI and the Network API; only users with read-only or edit permission can access the field.
Field access can also be managed using profile layouts; you can remove the field from the layout to hide it from all users for specific countries. Using this field restriction feature, you can provide access to some users and hide it from other users.
When you create a field restriction, you make it available only to specific users or user groups for applicable countries. For all other users, the field becomes hidden in your Network instance and throughout the API.
The following access can be granted to users and user groups:
- Read-only - This permission can be assigned so users can view the field and value but cannot edit the field. A lock icon displays when users hover over the field value on the record profile.
- Edit - This permission can be assigned so users can view and edit the field value.
- No access - This is the implicit access for any user that has not been given read-only or edit permission to the field. The field is hidden from users in the Network UI and in the Network API.
In this example, the Address Rank field has been restricted to specific user types using system managed user groups.
The following access is assigned to these user types for the selected country:
Edit access - System and Data Admins, System Admins, Data Managers
Read-only access - Data Stewards
No access - Integration users, Standard users, and Portal users (all user types that were not given edit or read-only permission to the field).
Field restriction exceptions
Restricted field access is not applied to the following features:
- Data change requests (DCRs) - Data stewards and data managers can see the field and value on DCRs. If the request is approved, the field will be hidden from them in the rest of the Network UI if they do not have view or edit permission.
- Data load - Restricted fields can be loaded into your Network instance using source subscriptions and data updater. All updates are logged and can be viewed in the Revision History.
- Target export - Restricted fields are available in target subscriptions so you can filter them from the export.
Fields that cannot be restricted
Most standard and custom fields can be restricted. The fields that are not supported are system fields and fields that are used for key Network processes.
Fields that cannot be restricted:
- System fields - Veeva standard fields that are created when a record is created (
vid__vand so on).
- Required data model fields
- Custom key fields
- Candidate record field (
- Disabled fields
- Cluster Management fields
Fields used for integrations
When field restrictions are applied to Network fields that are mapped for integrations, ensure that Integration users have edit or read-only permission to the field.
If Integration users do not have access to the fields, issues can occur.
- Veeva CRM - Field mappings and search will be impacted.
- Concur Connector - Errors will occur when users are searching from Concur.
Create a field restriction
- In the admin console, click Users & Permissions > Field Restrictions.
Click Add Field Restriction.
The Create Field Restriction page displays.
In the Details section, select the field from the Restricted Field list.
Sets of fields display as their grouped name instead of the individual field name. For example,
All Emailsdisplays instead of
email_2__vand so on.
In the Field Restriction Permissions section, identify the permissions for user groups and individual users.
Name - Select the group or user from the list.
- Permission - Choose Read-only or Edit
- Countries applied to - Select the countries for each group and user permission. The list is filtered to include only the countries that the field is enabled for.
- Save your changes.
The field restriction is now active. Only the users that have Read-only or Edit permission can access the field.
View all field restrictions
All of the field restrictions in your Network instance are listed on the Field Restrictions page. The restrictions are sorted by the Field Label column.
Clone field restrictions
Cloning an existing restriction can save time if it applies to the same users and countries.
To clone a restriction
- On the Field restriction page, click Clone.
In the Clone dialog, choose the new field and click Next.
The field restriction is immediately created with the permissions and countries applied for the users.
- Add or change any user group or user permissions.
Click Save to update the restriction.
If you click Cancel, the field restriction is saved without any changes that you made.
To remove the cloned restriction, click Remove Restriction.
Delete field restrictions
When field restrictions are deleted, the field becomes accessible to all users.
- To delete a restriction, click the Delete icon.
The User page includes a section called Restricted Field Access. This section displays all of the restricted fields assigned to the user. Each row displays the field name, entity type, permission, and country that the permission applies to. If the user has different permissions for the same field for different countries, the field displays on separate rows.
The field restriction can be edited from the User page.
In the data model, administrators and data managers can use a new column, Field Access, to quickly see what fields are available to all users or are restricted.
- Click the Restricted link to navigate to the field restriction for more information or to make changes (administrators only).
- Click the field name to open the configuration page. The Properties section shows that the field is restricted. Administrators can click the Manage Field Restriction link to navigate to the Field Restrictions page for more information.
If a field is set as Required/Update, field restrictions cannot be applied to it because all users must be able to view it. Similarly, if field restrictions have been set on a field, the Required/Update option is dimmed and cannot be selected.
To see if a field is required, open the field's configuration page from the data domain. In the Visibility in Countries section, select a country group and view the Required/Update option.
If you run a report, the results will return the field column but the value will be empty. If the field restriction is on a relationship object or sub-object field, the field value will display in the results.
Restricted fields are hidden from Integration users in the response for the following API calls:
- Retrieve Entities
- Retrieve Change Request
- Batch Retrieve Change Request
For more information about the Network API, see the Network Developer Documentation.
Administrators can track new restrictions and changes to existing restrictions in the System Audit Log. In the Object Type field, select FieldAccess to view all of the field restriction actions in your Network instance.
Exporting field restrictions
Field restrictions cannot be exported from a source environment to a target environment. Users can be different between two environments, so the field restriction configurations would not be valid.
This applies to the following activities:
Exporting configuration packages
Refreshing or cloning a Network instance
Field restrictions must be recreated on the target environment.
Field restrictions cannot be exported to a target environment because the users on the target might be different.
Network instance refreshes
Field restrictions must be recreated if your Network instance is refreshed or cloned. For example, if you refresh a Sandbox instance using a clone of your Production instance, any field restrictions that were in the Production instance or the Sandbox instance are removed and must be recreated.