**Source URL:** https://limited.veevavault.dev/clinical/security/tree/understanding-tree-security.md

# Understanding Tree Security

To develop with security trees, you must understand the Vault objects involved in configuration.

The following is an example of a Security Tree object retrieved through MDL:

```
Object security_tree__c (
   label('Security Tree'),
   object_class('securitytree'),
   user_tree_assignment_object_name('user_assignment'),
   single_user_tree_assignment(true),
   user_reference_assignment()
);

```

* **label**: The Admin-facing UI label of this security tree.

* **object_class**: The object class of this security tree, which will always be `securitytree` for security tree objects. Only security tree objects can be of class `securitytree`. Learn more about [object classes in Vault Help](https://platform.veevavault.help/en/lr/15298/#object-class).

* **user_tree_assignment_object_name**: The name of this security tree’s *User Tree Assignment* object, without the `_c__sys` namespace. For example, the full name of this object in the example MDL above is `user_assignment_c__sys`. This object allows you to assign a user to a node in a security tree with an assigned *Application Role*. This attribute can only be set on create. Learn more about the [*User Tree Assignment Object*](https://platform.veevavault.help/en/lr/828859).

* **single_user_tree_assignment**: A Boolean value indicating if this security tree is configured to *Restrict Users to a Single Node Assignment*. If omitted on create, defaults to `false` and users are not restricted to a single node assignment. Learn more about [single node assignment in Vault Help](https://platform.veevavault.help/en/lr/828859).

* **user_reference_assignment**: The user reference field associated with this object. This field allows the object to automatically assign records to a security tree based on an existing static user assignment. For example, when you create a record on a secured object, setting this attribute automatically assigns the object record to the selected user's node. Learn more about [*User Reference Assignment* in Vault Help](https://platform.veevavault.help/en/lr/828859).

The following is an example of a custom object secured by a security tree retrieved through MDL:

```
Object my_custom_object__c (
   label('My Custom Secured Object'),
   security_tree_object('Object.security_tree__c'),
   tree_assignment_object_name('user_tree_assignment')
);

```

* **security_tree_object**: If this object is secured with a security tree, this attribute is the name of the Security Tree object which is securing this object. If blank, this object is not secured by a security tree.

* **tree_assignment_object_name**: If this object is secured with a security tree, this attribute is the name of the Tree Assignment object which is securing this object. A Tree Assignment object is an object of class `securedrecordtreeassignment`. If blank, this object is not secured by a security tree. Learn more about [*Secured Record Tree Assignment* in Vault Help](https://platform.veevavault.help/en/lr/828859).



---

**Previous:** [Tree Security](/clinical/security/tree)  
**Next:** [How to Enable Tree Security](/clinical/security/tree/how-to-enable-tree-security)