Group Management

Predefined Groups

The Delinea Platform has two predefined groups:

  • Everybody: All platform users belong to the Everybody group. Through that group membership they inherit the Platform User role, with permissions to log in to the Delinea Platform, access their secrets, launch PRA sessions, and view their own session recordings. The Everybody group cannot be renamed or deleted.

  • System Administrator: Platform users who belong to the System Administrator group inherit the Platform Admin role, with all administrative permissions. When the Delinea Platform is first installed, the user account that is created automatically belongs to the System Administrator group. The System Administrator group cannot be renamed or deleted.

Types of Groups

The platform supports the following types of groups: global AD security groups, universal AD security groups, and user attributes/claims named groups. It does not support distribution lists. A distribution list, sometimes inaccurately called a distribution group , is used to send email to users specified on the list. But on any access control system including the Delinea Platform, groups are used for access control. A distribution list cannot be used for access control because it cannot be listed in discretionary access control lists (DACLs). A distribution list has no index, so you can’t query it to determine if a user (trying to access something) is or is not on the list, rendering the distribution list useless for purposes of controlling access. 

For more information on groups, roles, and permissions, see Roles and Permissions.

Adding a Group

  1. Click Access from the left navigation, then select Groups.

    alt

  2. Click Add Group.

    alt

  3. Click Save.

  4. On the Add group page, enter a group Name and Description.

  5. Click Save.

Adding Users to a Group

You can add several types of members to a group, including users, directory groups such as AD, and Delinea groups. To add a member to a group, follow these steps:

  1. Click Access from the left navigation menu, then select Groups.
  2. On the Groups page, click a group.

    alt

  3. On the specific group's page, click the Members tab.

    alt

  4. Click Add Member.

  5. On the Add Members page, select the checkbox next to each user you want to add, then click Add.

    alt

    A message appears: Member has been Added Successfully.

User Directory Service Configuration

  1. Click Settings from the left navigation, then select Directory services.

  2. Select the checkbox next to a directory service you want to use or remove. Actions available for a selected directory service vary:

    • Delinea and Federated directory are read only (no actions).
    • Active directory can only be moved (no remove).
    • Other directory types can be removed.

A dialog appears with options that include one or more of the following, depending on the type of directory or directories you selected: Clear Selected, Move Down, Move Up, or Remove Selected.

User Directory Service Configuration

Additional Attributes

  1. On the Configuration page, click the Additional Attributes tab.

    alt

  2. Click Add Attributes.

  3. On the Add Attributes page, enter a name in the Name field. The name can contain only letters, numbers, and underscores. It must begin with a letter and contain at least one underscore.

  4. alt

     In the Type field, search for a type or click the dropdown arrow and pick one of the following:
    • Number
    • Number (Decimal)
    • Text
    • True/False
    • Data Time
  5. Click Save. A message appears: Your Attribute has been Added Successfully.

On the platform, user roles and their associated permissions are assigned to users through the users' memberships in platform groups, including platform groups mapped to federated groups (see Mapping Federated Groups). For more information on groups, roles, and permissions, see User Roles and Permissions.

Permitted Entra ID Groups

This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.

By default, when Entra ID is integrated with the Delinea Platform, all Entra ID security groups are available for querying and browsing. Users may browse Entra ID users and groups when managing roles, identity policies, and sharing secrets.

Entra ID groups are not yet supported for Delinea Privilege Control for Servers (PCS).

Distribution lists (or groups) are not supported. On any access control system including the Delinea Platform, groups are used for access control. A distribution list cannot be used for access control because it cannot be listed in discretionary access control lists (DACLs). A distribution list has no index and cannot be queried to determine if a user (trying to access something) is or is not on the list, rendering the distribution list useless for purposes of controlling access.

If there is a requirement to limit the available groups to only those selected, a platform administrator can designate specific groups for use on the Delinea Platform per directory source using the following procedure:

  1. Navigate to Access > Groups.

  2. Select Add External Directory Group.

  3. From Directory sources, select an Entra ID Directory.

  4. Select (or search for) the groups you would like to add. Currently, the platform will return only the first 100 groups in a directory. If the desired group is not found, use search to refine the results.

  5. Click Add.

The selected groups are added to the Groups list page. These Entra ID groups will be the only ones available from the specified directory for use throughout the platform.

To remove a group:

  1. Select the group.

  2. Hover your cursor over the group.

  3. Click the trash icon.

 

User Accounts

Managing Users

User Profile