Roles and Permissions

Delinea Platform's role-based access control system precisely manages resource access, so you can authorize users with the exact permissions they need.

Unified Roles and Permissions in Secret Server and Platform

For new customers of Delinea Platform and Secret Server, all roles and permissions are centrally managed within the Platform.

As of November 8, 2023, all newly provisioned customers on the Delinea Platform experience a unified roles and permissions system. All Secret Server roles and permissions are managed centrally within Delinea Platform.

• Delinea Platform serves as the authoritative source for role permissions within Secret Server. All Secret Server permissions are displayed under platform permissions.

• Secret Server user, group, and role management are no longer accessible under Secret Server Settings.

Access to Secret Server requires the Secret Server Access permission.

Built-in Roles

The platform provides two built-in roles, which cannot be disabled:

• Platform User: All platform users belong to the Everybody group, and inherit the Platform User role through their membership in that group. The Everybody group is removable; however, the Platform User role provides basic permissions for a user to log in to the platform, launch PRA sessions, access their own secrets, and view their own session recordings.

• Platform Admin: Platform users who belong to the System Administrator group inherit the Platform Admin role through their membership in that group. The Platform Admin role provides all permissions on the platform.

Custom Roles

The platform also supports the creation, editing, and deletion of custom roles. Those topics are covered later in this page.

Permissions

Platform permissions are made available for assignment to Roles according to the services available in your platform environment.

Users, Groups, Roles, and Permissions

On the platform, user roles and their associated permissions are assigned to users through the users' memberships in platform groups, including platform groups mapped to federated groups. To understand the relationships between users, groups, roles, and permissions, review the following points:

• A permission can be assigned to one or more roles, but cannot be assigned directly to a group or a user.

• A role can be assigned to one or more groups, and a group can be assigned to one or more users.

• A user inherits one or more roles, along with each role’s permissions, through the group or groups the user is assigned to.

Although the platform currently permits you to assign a role directly to a user, the best practice is to assign a role to a user only through the groups the user is assigned to.

 

Edit Role Permissions

To edit an existing role:

1. Click Access from the left navigation menu, then select  Roles.
   
   

2. Click the name of one of the roles displayed. The role page opens to the Overview tab.
   

3. Click the Permissions tab. All permissions assigned to the role are listed on the tab.
   
   

4. To add a permission to the role, click Add Permission. The Add Permissions dialog pops up.
   
   
   
5. Select the box next to each permission you would like to add to the role.
   
   
6. Click Assign.
7. To remove one or more permissions assigned to a role, select the box next to each permission you would like to remove, then click Remove Selected.
   
   
8. Click Remove from the pop-up banner to confirm that you want to remove the permission(s).
   

Edit Role Members (Groups)

1. Click the Members tab.
   

2. To add members (groups) to the role, click Add Members.
   
   

3. The Add Members dialog pops up.

   

4. Select the box next to the groups you want to add, then click Add.

5. To remove members (groups) from the role, go to the Members tab and select the box next to each group you wish to delete, then click Remove Selected.
   
   

Delete a Role

1. Click Access from the left navigation menu, then select  Roles.

2. Hover your cursor over the role you wish to delete, then click the trash icon that appears.
   
   

3. Click Delete from the confirmation pop-up.
   
   

You can also delete a role directly from the role's details page by clicking the Delete button at the top right of the page.

Assign a Group to a Role

The platform supports the following types of groups: global AD security groups, universal AD security groups, and user attributes/claims named groups. It does not support distribution lists. A distribution list, sometimes inaccurately called a distribution group , is used to send email to users specified on the list. But on any access control system including the Delinea Platform, groups are used for access control. A distribution list cannot be used for access control because it cannot be listed in discretionary access control lists (DACLs). A distribution list has no index, so you can’t query it to determine if a user (trying to access something) is or is not on the list, rendering the distribution list useless for purposes of controlling access. 

1. Click Access from the left navigation, then select Groups.

2. Select a group you would like to assign to a role.

3. Select the Roles tab, and click Assign to Role.
   
   

4. Select the role(s) and click Assign.
   
   

Create a New Role

1. Click Access from the left navigation menu, then select  Roles.
   
   

2. Click Create Role.

3. To create a new role from scratch, select Create New Custom Role. To create a role by cloning an existing role and editing it, select Clone Existing Role.
   
   

4. Enter appropriate information in the Role Name and Role Description fields.

5. Click Save.

6. Click the Permissions tab.

7. Click Add Permissions to assign appropriate permissions to the role.

   • To search through existing permissions, enter terms into the Search box.
   • To restrict your search results to just one type of permission, make your selection from the All dropdown list.
     
     

8. Click Assign.

Add Members (Groups) to a Role

1. Click the Members tab.

2. Click Add Members.
   
   

   • To search through existing groups, enter terms in the Search box.

   • The first search filter is set to restrict search results to Groups by default. Although you can select Users from the dropdown list, adding individual users to a role is not considered a best practice.

   • To search across a specific directory (for example, Active Directory), click the Delinea Directory dropdown list and select the desired directory.

3. When you have made your selections, click Add.