Managing Groups

This page explains how to manage groups.

Predefined Groups

The Delinea Platform has two predefined groups:

• Everybody: All platform users belong to the Everybody group. Through that group membership they inherit the Platform User role, with permissions to log in to the Delinea Platform, access their secrets, launch PRA sessions, and view their own session recordings. The Everybody group cannot be renamed or deleted.

• System Administrator: Platform users who belong to the System Administrator group inherit the Platform Admin role, with all administrative permissions. When the Delinea Platform is first installed, the user account that is created automatically belongs to the System Administrator group. The System Administrator group cannot be renamed or deleted.

Types of Groups

The platform supports the following types of groups: global AD security groups, universal AD security groups, and user attributes/claims named groups. It does not support distribution lists. A distribution list, sometimes inaccurately called a distribution group , is used to send email to users specified on the list. But on any access control system including the Delinea Platform, groups are used for access control. A distribution list cannot be used for access control because it cannot be listed in discretionary access control lists (DACLs). A distribution list has no index, so you can’t query it to determine if a user (trying to access something) is or is not on the list, rendering the distribution list useless for purposes of controlling access. 

For more information on groups, roles, and permissions, see Roles and Permissions.

Adding a Group

1. Click Access from the left navigation, then select Groups.

   

2. Click Add Group.

   

3. Click Save.

4. On the Add group page, enter a group Name and Description.

5. Click Save.

Adding Users to a Group

You can add several types of members to a group, including users, directory groups such as AD, and Delinea groups. To add a member to a group, follow these steps:

1. Click Access from the left navigation menu, then select Groups.

2. On the Groups page, click a group.

   

3. On the specific group page, click the Members tab.
   

   

4. Click Assign Members.

5. On the Assign members page, search for and select each user you want to add, then click Add.
   

   

User Directory Service Configuration

1. Click Settings from the left navigation, then select Directory services.

2. Select the checkbox next to a directory service you want to use or remove. Actions available for a selected directory service vary:

   • Delinea and Federated directory are read only (no actions).
   • Active directory can only be moved (no remove).
   • Other directory types can be removed.

A dialog appears with options that include one or more of the following, depending on the type of directory or directories you selected: Clear Selected, Move Down, Move Up, or Remove Selected.

Additional Attributes

1. On the Configuration page, click the Additional Attributes tab.

   

2. Click Add Attributes.

3. On the Add Attributes page, enter a name in the Name field. The name can contain only letters, numbers, and underscores. It must begin with a letter and contain at least one underscore.

   

4. In the Type field, search for a type or click the dropdown arrow and pick one of the following:

   • Number
   • Number (Decimal)
   • Text
   • True/False
   • Data Time

5. Click Save. A message appears: Your Attribute has been Added Successfully.

On the platform, user roles and their associated permissions are assigned to users through the users' memberships in platform groups, including platform groups mapped to federated groups (see Mapping Federated Groups). For more information on groups, roles, and permissions, see Understanding Roles and Permissions.

For related content, see the following: 

• Managing User Accounts and Groups

• Managing User Accounts

• Managing Your User Profile