Managing Groups

This page explains how to manage groups.

Predefined Groups

The Delinea Platform has two predefined groups:

  • Everybody: All platform users belong to the Everybody group. Through that group membership they inherit the Platform User role, with permissions to log in to the Delinea Platform, access their secrets, launch PRA sessions, and view their own session recordings. The Everybody group cannot be renamed or deleted.

  • System Administrator: Platform users who belong to the System Administrator group inherit the Platform Admin role, with all administrative permissions. When the Delinea Platform is first installed, the user account that is created automatically belongs to the System Administrator group. The System Administrator group cannot be renamed or deleted.

Types of Groups

The platform supports the following types of groups: global AD security groups, universal AD security groups, Entra ID security groups, and user attributes/claims named groups.

It does not support domain local groups. It also does not support distribution lists. A distribution list, sometimes inaccurately called a distribution group , is used to send email to users specified on the list. But on any access control system including the Delinea Platform, groups are used for access control. A distribution list cannot be used for access control because it cannot be listed in discretionary access control lists (DACLs). A distribution list has no index, so you can’t query it to determine if a user (trying to access something) is or is not on the list, rendering the distribution list useless for purposes of controlling access. 

For more information on groups, roles, and permissions, see Roles and Permissions.

Adding a Group

  1. Click Access from the left navigation, then select Groups.

    alt

  2. Click Add Group.

    alt

  3. Click Save.

  4. On the Add group page, enter a group Name and Description.

  5. Click Save.

Adding Users to a Group

You can add several types of members to a group, including users, directory groups such as AD, and Delinea groups. To add a member to a group, follow these steps:

  1. Click Access from the left navigation menu, then select Groups.

  2. On the Groups page, click a group.

    alt

  3. On the specific group page, click the Members tab.

  4. Click Assign Members.

  5. On the Assign members page, search for and select each user you want to add, then click Add.

User Directory Service Configuration

  1. Click Settings from the left navigation, then select Directory services.

  2. Select the checkbox next to a directory service you want to use or remove. Actions available for a selected directory service vary:

    • Delinea and Federated directory are read only (no actions).
    • Active directory can only be moved (no remove).
    • Other directory types can be removed.

A dialog appears with options that include one or more of the following, depending on the type of directory or directories you selected: Clear Selected, Move Down, Move Up, or Remove Selected.

User Directory Service Configuration

Additional Attributes

  1. On the Configuration page, click the Additional Attributes tab.

    alt

  2. Click Add Attributes.

  3. On the Add Attributes page, enter a name in the Name field. The name can contain only letters, numbers, and underscores. It must begin with a letter and contain at least one underscore.

    alt

  4. In the Type field, search for a type or click the dropdown arrow and pick one of the following:

    • Number
    • Number (Decimal)
    • Text
    • True/False
    • Data Time

  5. Click Save. A message appears: Your Attribute has been Added Successfully.

On the platform, user roles and their associated permissions are assigned to users through the users' memberships in platform groups, including platform groups mapped to federated groups (see Mapping Federated Groups). For more information on groups, roles, and permissions, see Understanding Roles and Permissions.

For related content, see the following: 

External Directory Group Allowlist

This feature is currently available only to customers participating in a Public Preview. For details, see Public Preview

External directory groups are groups that are managed by an external identity provider (IdP), such as Microsoft Entra ID or Active Directory. These groups are not created or maintained directly within the Delinea Platform. By default, when you integrate with Entra ID, all security groups from your directory are browsable within the platform. However, if you need more control, platform administrators can choose to limit which external groups are available.

To do this, simply add the desired groups to the platform’s External Groups list. Once this list is defined, only the specified groups will be available when managing roles, applying identity policies, or sharing secrets. This global change allows you to ensure that only relevant groups are used across your tenant, enhancing usability, security, and administrative control.

Create or Update an External Group List

  1. On the Delinea Platform, navigate to Access > Groups.

  2. Select the External groups tab.

  3. Click Set external group availability.

  4. Select the Directory source to start browsing for groups.

  5. Select the desired groups for use on the Delinea Platform.

  6. Click Add.

The selected groups now appear in the External Groups list. Only these groups will be available in the platform for assigning roles, applying identity policies, and managing secret permissions. To restore the default experience—where all groups from all external directories are browsable—simply clear the external group list.

Delete Groups from the External Group List

  1. On the Delinea Platform, navigate to Access > Groups.

  2. Select the External groups tab.

  3. Select the groups to be removed by selecting the checkbox next to the group.

  4. Click Remove.

  5. At the confirmation dialog click Remove.

The selected groups are now removed from the External Groups list. Removing all groups restores the default browsing experience.