Getting Started

This Getting Started guide contains the information you need to get up and running on the Delinea Platform as quickly as possible. It contains an overview that lists the tasks you will need to complete, followed by general tips, including the purpose of the first two accounts: cloudadmin and Platform Admin. The rest of this guide gives step-by-step instructions for completing the required tasks to get started.

To troubleshoot common onboarding issues, see Onboarding Troubleshooting.

Overview

This Getting Started guide provides brief instructions for the tasks in the following list. Links to the full procedures are provided where relevant in each section.

Steps 1-3 must be completed in order. Steps 4-6 are for opt-in customers only and those customers must complete these steps in order. Steps 7 and 8 can be completed in any order after the previous steps are completed. Step 9 is information about MFA on the platform with links to related content.

1. Provision and Log In to the Platform
2. Add Domain User Accounts
3. Assign Yourself Admin Permissions and Access Secrets
4. Link Platform and Secret Server Groups
5. Sync Platform and Secret Server Groups
6. Assign Secret Server Permissions to Platform Users
7. 7. Assign Roles and Permissions to Users and Groups
8. Set Up and Use Privileged Remote Access
9. 9. About Multi-factor Authentication

General Tips

Before you begin the Getting Started tasks, consider the following general tips.

The Cloudadmin Account

As the first person to set up the Delinea Platform, cloudadmin is the first account you will need to perform initial platform provisioning, login, integration, and setup tasks. With the cloudadmin account, you will authorize domain user accounts on the platform and set up a second Platform Admin account for yourself based on a domain account of your own. The cloudadmin account is a local Delinea Platform account created for you. The account name follows the format cloudadmin@your_platform_tenant_name.

For migration customers only): Because cloudadmin is not your Secret Server administrator account, while you are logged in as cloudadmin you will not be able to see your existing secrets in Secret Server or use your existing Secret Server administrator permissions. This is expected behavior and it does not indicate a failed integration. Do not change the cloudadmin username to match an existing Secret Server username, because that will break the synchronization between the Delinea Platform and Secret Server.

Your Platform Admin Account

To gain Secret Server admin permissions and see secrets from the Platform, you must do the following while logged in as cloudadmin:

• Add domain user accounts to the Platform, including one of your own personal domain user accounts. See Step 2, Add Domain User Accounts.

• Create a Platform Admin account for yourself based on your personal authorized domain user account. See Step 3, Assign Yourself Admin Permissions and Access Secrets.

Both the cloudadmin and Platform Admin accounts initially have comprehensive administrator permissions on the platform. For cloudadmin, we recommend leaving the comprehensive permissions unless you have a clear and logical plan for distributing some of them to other administrator accounts. For the Platform Admin account, we recommend removing permissions that are not required for carrying out day-to-day platform administration tasks as soon as possible. We also recommend creating multiple administrator roles, each with a different set of permissions for specific purposes.

1. Provision and Log In to the Platform

This section gives procedures for provisioning and logging in to the platform. The procedures vary for the three type of customer below:

• New or Prospective Delinea Customers
• Secret Server Cloud Customers migrating/opting in to the Delinea Platform
• Current Secret Server On Premise Customers

For New or Prospective Delinea Customers

New or prospective Delinea customers can purchase or sign up for a trial of a Delinea Platform tenant with built-in, integrated Secret Server functionality by taking the steps below.

1. Contact a Delinea sales representative to request a trial platform account.

   If you do not receive one or more of the following emails from Delinea, see Onboarding Troubleshooting for guidance.

2. Welcome to your Secret Server Cloud Trial on the Delinea Platform: You will receive this initial email when you are approved for a trial. Use the links in the email to provision your platform cloud tenant and perform these tasks:

   • Set up your platform cloud tenant
   • Set up your initial administrator account
   • Select your hosting region
   • Choose a subdomain for your organization
   • Receive your platform access licenses
   • Designate an alternate owner at your organization
   • Sign up for Delinea Support services

3. Welcome to the Delinea Support Portal!: You will receive this second email after you complete the tasks in the first email. Click the link in this email to sign into your personalized Delinea Support portal with the username provided in the email.

4. You have been invited to the tenant-name tenant on Delinea Platform: You will receive this third email after you use the link in the second email to log in to the Delinea Support portal.

   • Make a note of your Cloudadmin account login username provided in the email.
   • Click the Accept Invitation button in the email to be taken to your platform tenant, where you will be logged in automatically the first time, with comprehensive administrator permission on both the platform and Secret Server.
   • Bookmark your platform tenant URL.
   • The second time you log in, you will be prompted to set a password for your Cloudadmin account. We recommend having this password generated for you automatically.

Not all platform features are available by default. To trial features like ITP/PCCE or PCS, contact your sales representative to have these enabled in your trial tenant.

For Secret Server Cloud Customers Migrating/Opting In to the Platform

Current Secret Server Cloud customers with specific permissions and entitlements can opt in to the platform through their Secret Server Cloud instance, following the basic procedure below:

1. Log in to your Secret Server Cloud instance as a Secret Server tenant administrator with Platform integration permissions.
2. Near the top of the portal, click the New! button.
   Note: If you do not see the New! button, contact your Delinea Sales representative.
3. In the window that opens, follow the on-screen instructions to provision your new Platform tenant, set up Platform integration with your Secret Server Cloud instance, and log in to the Platform.

For complete instructions, see Opt-in to Platform Tenant via Secret Server Cloud.

When a Secret Server administrator clicks the button to opt in to Delinea Platform integration, their Secret Server users will not have immediate access to the platform until the administrator sets up SSO, federation, and AD sync on the platform. For more information, see The Delinea Connector, Federation, and Integrating Entra ID.

For Secret Server On Premise Customers

Secret Server On Premise customers can access Privileged Remote Access through the Delinea Platform by contacting a Delinea sales representative to request a Delinea Platform tenant without Secret Server Cloud.

2. Add Domain User Accounts

On the Delinea Platform, you define various security policies and assign them to groups. Rather than add individuals to these groups, you map your domain groups to these platform identity groups. To enable your domain users to log in to the platform, you must either install the Delinea Connector (for Active Directory users) or configure Federation (IdP) for other users, or you can use both options for a mix of user types.

2a. Add Active Directory User Accounts

To add Active Directory user accounts to the platform, you must use the Delinea Connector. For complete instructions on downloading, installing, and registering the Connector, see The Delinea Connector.

The basic steps for installing the Delinea Connector are as follows.

1. Download the connector executable file by clicking Settings from the left navigation, then selecting Connectors.
2. On the Connectors page, click Add Connector.
3. In Box 1 on the Add connector page, click Download to get the 64-bit Connector Installer.
4. In Box 2, copy the tenant URL, and save it for later.
5. Generate or copy a connector Registration Code, and save that for later too.
6. In the Connector Configuration Wizard, select the box next to Use Registration Code and paste the code that you saved earlier into the field provided. The Connector Configuration Wizard, similar to a Distributed Engine in Secret Server, will read the forest and automatically display a list of forest domains that you can connect to the platform.
7. Select any domain where your users will be logging in from.
8. Make sure to include a domain where you have a personal account.

To map Microsoft Entra ID groups to platform groups, see Integrating Entra ID.

2b. Add Federated User Accounts

Unlike Secret Server Cloud users, federated Delinea Platform users are added to the platform "on-the-fly" when they log in, as long as they satisfy the authentication requirements through an external source such as AD or a federation service provider. Users do not need to be authorized or granted permissions in advance. Users that exist in external sources will not be listed on the platform at Access > Users until they log in to the platform for the first time.

The platform does not natively support bulk import and synchronization of all users from an external source such as federation or AD. Platform administrators can find AD users to add to the platform by performing filtered searches through external AD directories, but federated directories cannot be searched.

To integrate federation Identity Provider (IdP) services on the Delinea Platform, see Federation.

To manage federation IdP services on the platform, see Federation Management. Also see Troubleshooting Federated User and Group Mapping.

Local User Accounts

Adding local users to the platform is not considered a best practice for privileged access management. Generally, users should be added to the platform only through federation or through their membership in an Active Directory. Local user accounts should be used only rarely. For example vendors are added as local accounts, and you might need to add a local user account for someone who needs to try out platform functionality for a very limited time.

Local accounts cannot be converted to domain accounts.

(for migration customers only) After the Connector is installed and Active Directory is set up on the platform, do not add an existing SSC user as a local user, because doing so could cause synchronization issues between the platform and Secret Server.

To add a new local user, see Adding Users.

3. Assign Yourself Admin Permissions and Access Secrets

After you have authorized domain accounts on the platform, including your own personal domain account, you need to assign standard Administrator permissions for platform and Secret Server to your personal domain account, while logged in as cloudadmin.

3a. Assign Platform Admin Permissions to Your Personal Domain Account

1. Click Access from the left navigation, then select Groups.
2. Click the System Administrator group.
3. Click the Members tab.
4. Click Add members.
5. In the Search dialog, change the first filter to Users and change the second filter to your connected domain. Now the search will find users from your connected domains.
6. Find your own Platform Admin domain account and add it to the System Administrator group. Through your membership in this group, your account automatically inherits the Platform Admin role with appropriate permissions on the platform.

3b. Assign Secret Server Admin Permissions to Your Personal Domain Account

1. Click Settings from the left navigation, then select Administration below Secret Server.

2. On the Secrets Administration page, click Platform Integration.

3. Select the Groups tab.

4. Add the platform System Administrator group to the list of synchronized groups. Secret Server automatically creates a corresponding Secret Server group that is synched to the platform group.

5. Add a role with Secret Server administrator permissions to the new enabled platform System Administrator group. Your platform System Administrator account now has Secret Server administrator permissions through its membership in the synched Secret Server group.

3c. Access Secrets from the Platform

After you have assigned platform and Secret Server administrator permissions to your personal AD account, you can access Secrets from the platform.

1. Log out of the platform as Cloudadmin.
2. Log back into the platform using your Platform Admin account.

3. On the platform Home page, click Access Your Secret Server. The All Secrets page opens, where you can view, create, and manage your secrets.

For more on how to use and manage your secrets, see Using Secrets.

4. (Migration Customers Only) Link Platform and Secret Server Groups

When a platform user with administrator permissions in both platform and Secret Server identifies an existing platform group they want to link to a Secret Server group, the administrator provides Secret Server with the name of the platform group to be linked. Secret Server then retrieves the critical information about the platform group and uses it to automatically generate a new Secret Server group that is based on, linked to, and named for the original platform group.

These linked, automatically generated Secret Server groups are identified in Secret Server as Enabled Platform Groups. For Enabled Platform Groups, Secret Server manages the Secret Server permissions, and platform manages the platform permissions. Platform also manages the group memberships, so all members of Enabled Platform Groups are platform accounts.

Platform groups that can be linked to Secret Server groups this way include local as well as non-local platform groups, such as groups from external AD directories.

An Enabled Platform Group can coexist in Secret Server with a Secret Server-only group by the same name. The two groups remain distinct, and only one is identified as an Enabled Platform Group.

The group linking process moves in one direction: from the platform to Secret Server. So although you can link an existing platform group to a new Enabled Platform Group in Secret Server, you cannot link an existing Secret Server group to a platform group.

In this example, we will use Platform Test Group as the group name.

1. Click Settings from the left navigation, then select Administration below Secret Server.

2. On the Secrets Administration page, click Platform Integration.

3. Click the Groups tab.
4. Next to Enabled Platform Groups, click Edit.
5. In the Select Groups box, enter the name of a platform group that you want to sync to a new Secret Server group. In this example, Platform Test Group is the group name. Secret Server then queries the platform identity service and when it finds the group named Platform Test Group, the group's name is displayed beneath the Search field with a check box next to it.
6. Select the box next to Platform Test Group.
7. Click Save.

After the platform and Secret Server groups are linked, you can find the new Secret Server group named Platform Test Group from anywhere in Secret Server where groups are referenced. When you click to open Platform Test Group, the group page opens with a banner at the top stating, The members of this group are managed by Platform.

5. (Migration Customers Only) Sync Platform and Secret Server Groups

After the groups are linked, they are synchronized automatically at set intervals. The first time you link a platform group to a Secret Server group, the periodic synch might not happen immediately, so you might not see the platform accounts in the Secret Server group right away. To force the groups to synch:

1. Click Settings from the left navigation, then select Administration below Secret Server.

2. On the Secrets Administration page, click Platform Integration.

3. Click the Groups tab.

4. Click Sync Now.

The group synchronization process moves in one direction: from the platform to Secret Server. Existing platform groups synch to their linked Enabled Platform Groups in Secret Server, but existing Secret Server groups do not synch to platform groups.

6. (Migration Customers Only) Assign Secret Server Permissions to Platform Users

Platform permissions are unrelated to Secret Server permissions. But platform users need Secret Server permissions to access their secrets and Secret Server admin privileges. Secret Server permissions can be assigned to platform users by linking a platform to an Enabled Platform Group in Secret Server, then assigning Secret Server permissions to the platform accounts in the linked Secret Server group.

1. Click Secret Server from the left navigation menu.
2. Click Access from the left navigation, then select Groups.
3. Click to open an Enabled Platform Group.
4. Click the Roles tab.
5. Click Assign to roles. A list opens of all available Secret Server roles (with attached permissions).
6. Check the box next to each role you wish to assign to the group.
7. Click Save.

7. Assign Roles and Permissions to Users and Groups

On the Delinea Platform, permissions are assigned to roles, and roles are assigned to groups, so users inherit permissions through their group memberships. The platform supports custom roles and the following two built-in roles, which cannot be renamed or deleted:

• Platform User: All platform users belong to the Everybody group, and through that group membership they inherit the Platform User role. The Platform User role provides the user with basic permissions to log in to the platform, access their secrets, launch PRA sessions, and view their own session recordings.

• Platform Admin: Platform users added to the System Administrator group inherit the Platform Admin role through that group membership. The Platform Admin role provides all permissions on the platform.

  User roles and permissions are managed by clicking Access from the left navigation, then selecting Users, Groups, or Roles.

  For more detailed instructions on managing roles and permissions on the platform, see User Roles and Permissions.

8. Set Up and Use Privileged Remote Access

Delinea Privileged Remote Access (PRA) provides seamless access to remote machines through Remote Desktop Protocol (RDP) and Secure Socket Shell (SSH), with no need for a Virtual Private Network (VPN).

Install the Remote Access Engine

Before you install the PRA engine, make sure you meet the minimum requirements. See PRA Requirements.

1. Click Settings from the left navigation menu, then select Remote Access.

2. Click Add Site.
3. Follow the instructions at Create a Site.
4. Follow the instructions at Install an Engine.
5. Follow the instructions at Activate the Engine.

Launch a PRA Session

To launch a PRA session from the Delinea Platform:

1. From the left navigation menu, click Secret Server.
2. On the All secrets page, locate a secret associated with PRA.
3. Hover your cursor near the right end of the Name field.
4. Click the rocket (launch) icon. The Select Launcher window pops up.
5. Select Open with Remote Access. A new browser tab opens, where you can launch a PRA connection to a remote machine.

For more detailed instructions on using the Privileged Remote Access, see Using PRA.

9. About Multi-factor Authentication

The platform provides cloud-based, flexible multi-factor authentication (MFA) as powerful as many retail MFA products and services. All administrators and business users on the platform should be required to use multi-factor authentication (MFA) to log in.

Platform MFA has two components: Authentication Profiles and Identity Policies.

• An identity MFA profile determines which MFA challenges are presented to a user (see Authentication Profiles).

• An identity MFA policy determines whether and when a user is presented with the challenges in their assigned MFA profile (see Identity Polices).

More information about MFA on the platform can be found in the following sections:

• MFA for Secrets. Multi-factor authentication (MFA) for secrets gives platform administrators the option to add one or more security requirements to access defined secrets.

• Identity Policies. Enabling MFA on the platform requires setting up identity policies and assigning them to users. An identity policy determines whether and when a user is presented with the challenges specified in the associated MFA profile.

• Authentication Profiles. Enabling MFA on the platform requires setting up authentication profiles. An authentication profile specifies the authentication challenges required to log in to the platform, and the length of time that must elapse before a user is re-prompted for authentication.

• Corporate IP Range. The Corporate IP Range function is used to define IP ranges for both internal and external networks, and to define authentication requirements such as the locations or IP ranges from which users can log in to the Delinea Platform.

• RADIUS Configuration. You can use your RADIUS server to authenticate users to the Delinea Platform.

• Login Flow for the Delinea Platform Portal (MFA). The Delinea Mobile app can be used as an MFA mechanism for logging in to the Delinea Platform. Also see Delinea Mobile Log in Process.