Group Management

For new Delinea Platform customers who were not using Secret Server previously, platform groups and Secret Server groups don't need to be linked or synchronized. Platform groups are now recognized in Secret Server group interactions, without prior synchronization. For example, when a user opens a secret, clicks the Sharing tab, and searches for groups, Secret Server and platform groups are both queried simultaneously.

If you set up a new platform group and then look immediately for the group in Secret Server, it might not appear right away. The synchronization takes place at timed intervals, and you might need to wait several minutes. To force new groups to synchronize immediately, follow the directions in the next section, Manually Synchronize New Platform and Secret Server Groups.

Manually Synchronize New Platform and Secret Server Groups

To force new groups to synchronize immediately:

1. Click Settings from the left navigation, then click Platform groups sync.

2. On the Platform Integration page, select the Groups tab.

3. Click Edit.

4. Click inside the box under Select Groups.

5. Begin typing the name of the new group, and it will appear.

6. Select the checkbox next to the group name.

7. Click Save.

8. Click Sync Now.

If a new federated user does not appear on the platform, in a group or otherwise, it could be because the user has not yet logged in to the platform for the first time.

Group Mappings

Group mapping is the method of associating user groups from an IdP such as Auth0 to corresponding local groups on the Delinea Platform (SP). This ensures that the user is granted the appropriate level of access based on their group memberships in the IdP's system.

Administrators can define mappings that dictate how the groups received from the IdP should be translated into specific groups on the platform.

On the Delinea Platform, federated groups are not added to named platform identity groups. Instead, they are mapped to platform groups through the IdP group's Object ID.

When a user logs in with an IdP's federated email domain, the platform will log them in as a federated user. The user is first authenticated when the IdP sends the platform an attribute/claim named groups for that user, which includes an Object ID for each IdP group that user belongs to. The Object ID maps to platform groups, and the user is added as a member of those mapped groups.

For additional information, see Group Mappingsunder Federation Management.

On the platform, user roles and their associated permissions are assigned to users through the users' memberships in platform groups, including platform groups mapped to federated groups as described below. For more information on groups, roles, and permissions, see User Roles and Permissions.

Enabled Platform Groups

Delinea Platform permissions are unrelated to Secret Server permissions. However, platform users need Secret Server permissions to access their secrets and Secret Server admin privileges. Secret Server permissions can be assigned to platform users by linking a platform group to an Enabled Platform Group in Secret Server, then assigning Secret Server permissions to the platform accounts in the linked Secret Server group.

Linking and Synching Groups

For platform customers who opted in to the platform from an existing Secret Server implementation, platform and Secret Server groups must be linked and synchronized. When a user with administrator permissions in both the platform and Secret Server identifies an existing platform group they want to link to a Secret Server group, the administrator provides Secret Server with the identity of the platform group to be linked. Secret Server then retrieves the critical information about the platform group and uses it to automatically generate a new Secret Server group that is based on, linked to, and named for the original platform group.

These linked, automatically generated Secret Server groups are identified in Secret Server as Enabled Platform Groups. For Enabled Platform Groups, Secret Server manages the Secret Server permissions, and platform manages the platform permissions. Platform also manages the group membership, so all members of Enabled Platform Groups are platform accounts. Platform groups that can be linked to Secret Server groups this way include local as well as non-local platform groups, such as groups from external AD directories.

An Enabled Platform Group can coexist in Secret Server with a Secret Server-only group by the same name. The two groups remain distinct, and only one is identified as an Enabled Platform Group.

The group linking process moves in one direction: from the Delinea Platform to Secret Server. Therefore, you can link an existing platform group to a new Enabled Platform Group in Secret Server, but you cannot link an existing Secret Server group to a platform group.

1. Click Settings from the left navigation, then click Platform groups sync.

2. On the Platform Integration page, select the Groups tab.

3. Next to Enabled Platform Groups, click Edit.
4. In the Select Groups box, enter the name of a platform group you wish to synchronize to a Secret Server group. Secret Server immediately begins to query the platform identity service. When it finds the group you're searching for, the group's name is displayed beneath the Search field with a checkbox next to it.
5. Select the checkbox next to the group's displayed name.
6. Click Save.
7. Click Sync Now.

After the platform and Secret Server groups are linked and synchronized, you can find the new Secret Server group from anywhere in Secret Server where groups are referenced. When you click to open the synchronized group, the group's page opens with a banner at the top stating, The members of this group are managed by Platform.

Assigning Secret Server Permissions to Platform Users

Delinea Platform permissions are unrelated to Secret Server permissions. However, platform users need Secret Server permissions to access their secrets and Secret Server admin privileges. Secret Server permissions can be assigned to platform users by linking a platform group to an Enabled Platform Group in Secret Server, then assigning Secret Server permissions to the platform accounts in the linked Secret Server group.

1. Click Access from the left navigation menu, then select Groups.
2. Click to open an Enabled Platform Group.
3. Click the Roles tab.
4. Next to Group Roles, click Edit. A list opens of all available Secret Server roles (with attached permissions).
5. Check the box next to each role you wish to assign to the group.
6. Click Save.

Automatically Create Groups During Synchronization

Instead of manually linking a Secret Server group to a platform group, you can choose to automatically create new Enabled Platform Groups in Secret Server during the periodic group synchronizations. When you enable the Create Groups During Synchronization feature, Secret Server checks all associated platform users to see if any belong to a platform group that is not yet linked to a Secret Server group. If an unlinked platform group is found, Secret Server automatically creates and links a corresponding Secret Server group.

1. Click Settings from the left navigation menu.

2. On the Settings page, click Platform integration. The Platform Integration page opens to the Configuration tab.

   

3. Click Edit next to Platform Integration Configuration.

4. Scroll down and select the Create Groups During Synchronization checkbox.

5. Consider the warning message that appears:

   Warning! Enabling "Create Groups During Synchronization" can create a large number of groups locally if the Platform users are members of many groups in Platform, including groups through external directory services such as Active Directory or Microsoft Entra ID federation.

6. Click Cancel to cancel, or click Save to automate the creation of new Enabled Platform Groups in Secret Server during the periodic group synchronizations.

Predefined Groups

The Delinea Platform has two predefined groups:

• Everybody: All platform users belong to the Everybody group, and through that group membership they inherit the Platform User role, with permissions to log in to the Delinea Platform, access their secrets, launch PRA sessions, and view their own session recordings. The Everybody group cannot be renamed or deleted.

• System Administrator: Platform users who belong to the System Administrator group inherit the Platform Admin role, with all administrative permissions. When the Delinea Platform is first installed, the user account that is created automatically belongs to the System Administrator group. The System Administrator group cannot be renamed or deleted.

For more information on groups, roles, and permissions, see Roles and Permissions.

Adding a Group

1. Click Access from the left navigation, then select Groups.

   

2. Click Add Group.

   

3. Click Save.

4. On the Add group page, enter a group Name and Description.

5. Click Save.

Adding Users to a Group

You can add several types of members to a group, including users, directory groups such as AD, and Delinea groups. To add a member to a group, follow these steps:

1. Click Access from the left navigation menu, then select Groups.

2. On the Groups page, click a group.

   

3. On the specific group's page, click the Members tab.

   

4. Click Add Member.

5. On the Add Members page, select the checkbox next to each user you want to add, then click Add.

   

   A message appears: Member has been Added Successfully.

User Directory Service Configuration

1. Click Settings from the left navigation, then select Directory services.

2. Select the checkbox next to a directory service you want to use or remove. Actions available for a selected directory service vary:

   • Delinea and Federated directory are read only (no actions).
   • Active directory can only be moved (no remove).
   • Other directory types can be removed.

A dialog appears with options that include one or more of the following, depending on the type of directory or directories you selected: Clear Selected, Move Down, Move Up, or Remove Selected.

Additional Attributes

1. On the Configuration page, click the Additional Attributes tab.

   

2. Click Add Attributes.

3. On the Add Attributes page, enter a name in the Name field. The name can contain only letters, numbers, and underscores. It must begin with a letter and contain at least one underscore.

4. 

    In the Type field, search for a type or click the dropdown arrow and pick one of the following:
   • Number
   • Number (Decimal)
   • Text
   • True/False
   • Data Time

5. Click Save. A message appears: Your Attribute has been Added Successfully.