Platform Permissions
This page provides a reference to the role permissions available in the Delinea Platform.
Miscellaneous Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Add Engine |
Create a new engine. |
delinea.enginepool/engine/create |
Administer Analytics |
View and edit the settings for analytics. |
delinea.analytics/settings/administer |
Administer Audit Data Retention |
Manage audit data retention, such as editing and running now. This permission does not automatically come with the Administrator role. |
delinea.insights/administration/dataretention/administer |
Administer Discovery |
View and import computers and accounts that are found by Discovery. |
delinea.discovery/discovery/administer |
Administer Inbox |
Administer notification settings for the inbox. |
delinea.inbox/inbox/administer |
Administer Licenses |
View, edit, install, and delete licenses. |
delinea.license/administration/licenses/administer |
Administer Session Recording Configuration |
View and edit session recording settings on the Session Recording tab of Configuration settings. (Formerly also known as Administer Session Recordings.) |
delinea.audit/administration/sessionrecording/manage |
Approve Registration |
Approve a registration. |
delinea.registration/registration/approve |
Approve Via DUO Push |
Approve access requests via Duo push notifications. Administrators do not have this permission by default. |
delinea.inbox/duo/requestaccess/approve |
Create a Site |
Create a new site. |
delinea.enginepool/site/create |
Create Command Group |
Create command groups. |
delinea.policy/commandgroups/create |
Create Granular Command |
Create granular commands. |
delinea.policy/commands/create |
Create Policy |
Create policies. |
delinea.policy/policies/create |
Create Registration Code |
Create a registration code. |
delinea.registration/registrationcode/create |
Delete a Site |
Delete a site. |
delinea.enginepool/site/delete |
Delete Command Group |
Delete command groups. |
delinea.policy/commandgroups/delete |
Delete Engine |
Delete an engine. |
delinea.enginepool/engine/delete |
Delete Granular Command |
Delete granular commands. |
delinea.policy/commands/delete |
Delete Policy |
Delete policies. |
delinea.policy/policies/delete |
Edit Command Group |
Edit command groups. |
delinea.policy/commandgroups/update |
Edit Granular Command |
Edit granular commands. |
delinea.policy/commands/update |
Edit Policy |
Edit policies. |
delinea.policy/policies/update |
Enable Policy |
Enable policies. |
delinea.policy/policies/enable |
Generate a Device Code |
Generate a device code. |
delinea.registration/devicecode/generate |
List Engines |
View summary information about all engines. |
delinea.enginepool/engine/list |
List Registration Codes |
View summary information about all registration codes. |
delinea.registration/registrationcode/list |
List Registrations |
View summary information about all registrations for a registration code. |
delinea.registration/registrationcode/registration/list |
List Sites |
See and choose sites through the platform UI, such as in a dropdown list of sites in the PRA setup page. This permission does not grant the ability to view and modify sites through the Engine Management page. For that, the Manage Sites permission is required. |
delinea.enginepool/site/list |
List Workload Definitions |
View summary information about all workload definitions. |
delinea.registration/workloaddefinition/list |
Manage All Collections |
Manage all collections in the tenant. |
delinea.platform/collections/manage |
Manage Entitlements |
Manage entitlement assignments in access. |
delinea.platform/access/entitlements/manage |
Manage Sites |
View summary information about all sites and make changes. |
delinea.enginepool/site/manage |
Manage Webhooks | Manage webhooks. | delinea.platform/webhooks/manage |
Read Another Users Profile Settings |
Read other users' profile settings (such as the profile image). |
delinea.platform/userprofile/manage/read |
Register a Workload |
Register a Workload with a registration code. |
delinea.registration/registrationcode/register |
Retrieve a Managed Application Registration |
Retrieve a managed application registration. |
delinea.registration/registration/managedapplication/retrieve |
Retrieve a Registration |
Read detailed information (including sensitive information) about individual registrations. |
delinea.registration/registration/read |
Retrieve Registration Code |
Read detailed information (including sensitive information) about individual registration codes. |
delinea.registration/registrationcode/read |
Retrieve Workload Definition |
Read detailed information (including sensitive information) about individual workload definitions. |
delinea.registration/workloaddefinition/read |
Update a Site |
Edit a site. |
delinea.enginepool/site/update |
Update Another Users Profile Settings |
Update other users' profile settings (such as the profile image). |
delinea.platform/userprofile/manage/update |
Update Engine |
Edit an engine. |
delinea.enginepool/engine/update |
View All Collections |
View all collections in the tenant. |
delinea.platform/collections/read |
View All Computers |
The user can view all computers that the user is permitted to access in the tenant. |
delinea.assets/computer/view |
View Analytics |
View, but not edit, settings for analytics. |
delinea.analytics/settings/read |
View Audit Data Retention |
View retained audit data. This permission does not automatically come with the Administrator role. |
delinea.insights/administration/dataretention/read |
View Command Group |
View command groups. |
delinea.policy/commandgroups/read |
View Discovery |
View, but not edit, computers and accounts that are found by Discovery. |
delinea.discovery/discovery/read |
View Engine |
Read detailed information about an engine. |
delinea.enginepool/engine/read |
View Granular Command |
View granular commands. |
delinea.policy/commands/read |
View licenses |
View, but not edit, the licenses in the system. |
delinea.license/administration/licenses/read |
View Policy |
View policies. |
delinea.policy/policies/read |
View Session Recording Configuration |
View session recording settings on the Session Recording tab of Configuration settings. |
delinea.audit/administration/sessionrecording/read |
View Session Recording Comments |
Read comments in session recording. |
delinea.platform/audit/sessionrecording/comment/read |
View Session Recordings |
View active launcher sessions. |
delinea.audit/sessionrecording/readall |
View Site |
Read detailed information about a site. (Formerly Retrieve Site.) |
delinea.enginepool/site/read |
Administration Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Activate PRA Engine |
Activate Privileged Remote Access engine. |
delinea.platform/administration/remoteaccess/engine/activate |
Add Federation Profile |
Add a federation profile. |
delinea.platform/administration/federation/profile/create |
Add Group Role Assignment |
Assign groups to roles. |
delinea.platform/administration/groups/roleassignment/create |
Add PRA Engine |
Add Privileged Remote Access engine. |
delinea.platform/administration/remoteaccess/engine/create |
Add Roles |
Add roles. |
delinea.platform/administration/roles/create |
Add Secret Server On Premises Templates |
Add Secret Server On Premises templates. (Formerly Add Secret Server Templates.) |
delinea.platform/administration/remoteaccess/secrettemplate/create |
Add User Role Assignments |
Assign users to roles. |
delinea.platform/administration/users/roleassignment/create |
Configure Secret Server On Premises integration |
Configure Secret Server On Premises integration. |
delinea.platform/administration/remoteaccess/vault/configure |
Create PRA Site |
Create a new Remote Access site to install engines. |
delinea.platform/administration/remoteaccess/site/create |
Delete Federation Profile |
Delete a federation profile. |
delinea.platform/administration/federation/profile/delete |
Delete Group Role Assignment |
Remove groups from roles. |
delinea.platform/administration/groups/roleassignment/delete |
Delete PRA Engine |
Delete Privileged Remote Access engine. |
delinea.platform/administration/remoteaccess/engine/delete |
Delete PRA Site |
Delete Privileged Remote Access site. |
delinea.platform/administration/remoteaccess/site/delete |
Delete Roles |
Delete roles. |
delinea.platform/administration/roles/delete |
Delete Secret Server On Premises Templates |
Delete Secret Server On Premises templates. (Formerly Delete Secret Server Templates.) |
delinea.platform/administration/remoteaccess/secrettemplate/delete |
Delete User Role Assignment |
Remove users from roles. |
delinea.platform/administration/users/roleassignment/delete |
Read Federation Profile |
Read federation profiles. |
delinea.platform/administration/federation/profile/read |
Update Federation Profile |
Update a federation profile. |
delinea.platform/administration/federation/profile/update |
Update PRA Engine |
Upgrade Privileged Remote Access engine. |
delinea.platform/administration/remoteaccess/engine/update |
Update PRA Site |
Update Privileged Remote Access site. |
delinea.platform/administration/remoteaccess/site/update |
Update Roles |
Modify roles. |
delinea.platform/administration/roles/update |
Update Tenant Profile |
Edit and update any information under the Tenant Profile page. This permission is not additive, so by only having the "Update Tenant Profile" permission, you do not get the ability to also see the data. |
delinea.platform/administration/tenantprofile/update |
View Group Role Assignment |
View roles assigned to groups. |
delinea.platform/administration/groups/roleassignment/read |
View Other User/Group Permissions |
Read the permissions of other users and groups. |
delinea.platform/administration/haspermission/read |
View Permissions |
Grants a user permission to view permissions . |
delinea.platform/administration/permissions/read |
View Platform Groups |
View platform groups. |
delinea.platform/administration/groups/read |
View Platform Users |
View platform users. |
delinea.platform/administration/users/read |
View PRA Engine |
View Privileged Remote Access engine. |
delinea.platform/administration/remoteaccess/engine/read |
View PRA Site |
View Privileged Remote Access Site. |
delinea.platform/administration/remoteaccess/site/read |
View Roles |
View roles. |
delinea.platform/administration/roles/read |
View Tenant Profile |
View tenant profile. |
delinea.platform/administration/tenantprofile/read |
View Secret Server On Premises Integration |
View Secret Server On-Premises integration. (Formerly View Secret Server integration.) |
delinea.platform/administration/remoteaccess/vault/read |
View Secret Server On Premises Templates |
View Secret Server On-Premises templates. (Formerly View Secret Server Templates.) |
delinea.platform/administration/remoteaccess/secrettemplate/read |
View User Role Assignments |
View roles assigned to users. |
delinea.platform/administration/users/roleassignment/read |
Behavioral Analytics Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Create Behavioral Analytics Notes |
Create behavioral analytics notes. |
delinea.platform/analytics/notes/create |
Create Behavioral Analytics Settings |
Create behavioral analytics settings. |
delinea.platform/analytics/settings/create |
Delete Behavioral Analytics Notes |
Delete behavioral analytics notes. |
delinea.platform/analytics/notes/delete |
Delete Behavioral Analytics Settings |
Delete behavioral analytics events. |
delinea.platform/analytics/settings/delete |
Manage Behavioral Analytics |
Manage behavioral analytics settings. |
delinea.platform/analytics/settings/manage |
Update Behavioral Analytics Alerts |
Update behavioral analytics alerts. |
delinea.platform/analytics/alerts/update |
Update Behavioral Analytics Notes |
Update behavioral analytics notes. |
delinea.platform/analytics/notes/update |
Update Behavioral Analytics Settings |
Update behavioral analytics settings. |
delinea.platform/analytics/settings/update |
View Behavioral Analytics |
View the Behavioral Analytics page (Insights > Behavioral Analytics). |
delinea.platform/analytics/read |
View Behavioral Analytics Alerts |
View behavioral analytics alerts. |
delinea.platform/analytics/alerts/read |
View Behavioral Analytics Events |
View behavioral analytics events. |
delinea.platform/analytics/events/read |
View Behavioral Analytics Notes |
View behavioral analytics notes. |
delinea.platform/analytics/notes/read |
View Behavioral Analytics Settings |
View behavioral analytics settings. |
delinea.platform/analytics/settings/read |
Platform Audit Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Add Session Recording Comments |
Write comments in session recording. (Formerly Write Session Recording Comments.) |
delinea.platform/audit/sessionrecording/comment/write |
Modify Session Recording AIDA Settings |
Access AIDA setting page. |
delinea.platform/audit/sessionrecording/aida/settings |
Read Audit events |
Read all administrative and privileged activity events. |
delinea.platform/audit/event/read |
Read Own Audit events |
Grants a user permission to read their own administrative and privileged activity events. |
delinea.platform/audit/event/own/read |
View AIDA results |
Read AIDA results in session recording. |
delinea.platform/audit/sessionrecording/aida/read |
View Authorized Session Recordings |
Grants a user permission to vew all authorized session recordings. (Formerly View All Session Recordings or View Session Recordings UI.) |
delinea.platform/audit/sessionrecording/admin/read |
View Own Session Recordings |
Grants a user permission to open and view their personal session recordings. |
delinea.platform/audit/sessionrecording/own/read |
View Session Recording Comments |
Read comments in session recording. |
delinea.platform/audit/sessionrecording/comment/read |
Delinea Expert Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Access Delinea Expert |
Chat with Delinea Expert. |
delinea.platform/gpt/conversation/create |
Configure Delinea Expert |
Configure Delinea Expert. |
delinea.platform/gpt/conversation/configure |
Posture Check Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Manage Checks |
Manage posture checks. |
delinea.platform/checks/manage |
View Checks |
View posture checks. |
delinea.platform/checks/view |
Identity Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Administer RADIUS Server Configuration |
Manage RADIUS client settings. |
delinea.platform/identity/radius/administer |
Manage Identity settings |
Manage all Identity-related settings such as users, groups, policies, and more. |
delinea.platform/identity/admin/manage |
View Identity settings |
View Identity-related settings such as users, groups, policies, and more. |
delinea.platform/identity/admin/read |
View RADIUS Server Configuration |
View RADIUS client settings. |
delinea.platform/identity/radius/read |
Inventories Permissions
Permission Name |
Description |
Permission String |
---|---|---|
View Inventory |
View inventories in the navigation menu. |
delinea.platform/inventory/view |
Analytics Management Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Create Active Directory entities |
Create Active directory entities. |
delinea.platform/itp/activedirectory/create |
Marketplace Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Customize Marketplace Integration View |
Customize Marketplace integration view. |
delinea.platform/marketplace/integrationview/update |
View Marketplace |
Show Marketplace to the user. |
delinea.platform/marketplace/read |
View Marketplace Download Center |
Show Marketplace Download Center to the user. (Formerly View Download Center.) |
delinea.platform/marketplace/downloadcenter/read |
View Subscriptions |
View subscriptions in Marketplace. |
delinea.platform/marketplace/subscriptions/read |
Remote Access Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Close PRA session |
Close a Privileged Remote Access session. |
delinea.platform/remoteaccess/sessions/end |
Create Remote Applications |
Create remote applications. |
delinea.platform/remoteaccess/remoteapplication/create |
Create Web Application |
Create Web application. |
delinea.platform/remoteaccess/webapplication/create |
Delete Remote Applications |
Delete remote applications. |
delinea.platform/remoteaccess/remoteapplication/delete |
Delete Web Application |
Delete web application. |
delinea.platform/remoteaccess/webapplication/delete |
Download files with PRA |
Download a file from the target system during a remote access session. |
delinea.platform/remoteaccess/filetransfer/download |
Launch PRA Session |
Launch a Privileged Remote Access session. |
delinea.platform/remoteaccess/session/launch |
Launch Web Application |
Launch web application. |
delinea.platform/remoteaccess/webapplication/launch |
Read Remote Applications |
Read remote applications. |
delinea.platform/remoteaccess/remoteapplication/read |
Read Web Applications |
Read web applications. |
delinea.platform/remoteaccess/webapplication/read |
Update PRA Configuration |
Update Privileged Remote Access Configuration. |
delinea.platform/remoteaccess/configuration/update |
Update Remote Applications |
Update remote applications. |
delinea.platform/remoteaccess/remoteapplication/update |
Update Web Application |
Update web application. |
delinea.platform/remoteaccess/webapplication/update |
Upload files with PRA |
Upload a file to the target system during a remote access session. |
delinea.platform/remoteaccess/filetransfer/upload |
View PRA Configuration |
View Privileged Remote Access Configuration. |
delinea.platform/remoteaccess/configuration/read |
View Secrets |
Vew Secrets to launch Privileged Remote Access sessions. |
delinea.platform/remoteaccess/secret/read |
Vaultbroker Configuration Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Allow creating vaultbroker connection information |
Create the vaultbroker connection information. Still requires an admin to log into SecretServer first and configure the platform configuration. |
delinea.platform/vaultbroker/vault/create |
Allow editing vaultbroker connection information |
Modify the vaultbroker connection information. |
delinea.platform/vaultbroker/vault/update |
Secret Server Permissions
Permission Name |
Description |
Permission String |
---|---|---|
Access Offline Secrets on Mobile |
User can cache their secrets in the Secret Server mobile application for offline use. This permission does not automatically come with the Administrator role. |
delinea.vault/secretserver/secret/mobile/offlinesecrets/allow |
Add Custom Audit Entry for Secrets |
Make a custom audit entry when accessing a secret using the web services API. |
delinea.vault/secretserver/secret/customaudit/create |
Add Secret |
Create new secrets. The Add permission no longer includes the role permission View Secret. |
delinea.vault/secretserver/secret/create |
Add Users or Groups From Identity |
Search for users and groups from Identity sources and add those users or groups to Secret Server. |
delinea.vault/secretserver/administration/identity/usersandgroups/add |
Administer Analytics Challenge |
Allows user to be challenged by analytics if their behavior deviates from their normal behavior and meets requirements specified by analytics. Administrators do not have this permission by default. |
delinea.vault/secretserver/administration/securityanalytics/accesschallenge/allow |
Administer Application Accounts in Secret Server |
Create application user accounts to be used exclusively for accessing Secret Server via the API. Formerly Create Application Account. |
delinea.vault/secretserver/administration/users/applicationaccounts/create |
Administer Auto Export |
Do everything the other automatic export permissions allow and edit the automatic export configuration. |
delinea.vault/secretserver/administration/autoexport/administer |
Administer Custom Columns on Secret Templates |
Enable the Expose for Display setting of a secret's template field to make it available for use in Dashboard custom columns. |
delinea.vault/secretserver/administration/secrettemplate/customcolumns/administer |
Administer Custom Password Requirements |
View and edit custom password requirements that can be configured under the Security tab for individual secrets. |
delinea.vault/secretserver/administration/passwordrequirements/custom/administer |
Administer Devops Secret Vault Tenants |
Add, remove, and edit DSV tenants that automatically synchronize with Secret Server on a schedule. |
delinea.vault/secretserver/administration/devopssecretvault/tenants/administer |
Administer Disaster Recovery |
Configure instances as data sources or replicas for disaster recovery; initiate or test data replication and view related logs and audits. |
delinea.vault/secretserver/administration/disasterrecovery/administer |
Administer Distributed Engine Configuration |
Update the Distributed Engine configuration. |
delinea.vault/secretserver/administration/distributedengine/administer |
Administer DoubleLock Keys |
View, edit, create, and disable DoubleLock keys. A DoubleLock key acts as a separate encryption key to protect your most sensitive secrets. This option allows users to access and use the DoubleLocks link on the Administration page. |
delinea.vault/secretserver/administration/doublelockkeys/administer |
Administer Dual Control Settings |
View, edit, create, and disable Dual Control settings for reports and recorded sessions. |
delinea.vault/secretserver/administration/dualcontrol/administer |
Administer Event Subscriptions |
View, edit, and create event subscriptions. |
delinea.vault/secretserver/administration/eventsubscriptions/administer |
Administer Export |
View the export log and export secrets to which they have access to a clear text, CSV file. |
delinea.vault/secretserver/administration/export/administer |
Administer HSM Configuration |
Change configuration or disable the use of a Hardware Security Module (HSM). |
delinea.vault/secretserver/administration/hsm/administer |
Administer Jumpbox |
Create, edit, or deactivate jump server routes. |
delinea.vault/secretserver/administration/jumpboxroutes/administer |
Administer Key Management |
Enable, change, or disable the Key Management (Secret Server Cloud only). |
Delinea.vault/secretserver/administration/keymanagement/administer |
Administer Platform Integration |
Manage the Secret Server connection to the Delinea Platform. |
delinea.vault/secretserver/administration/platformintegration/administer |
Administer Platform Migration |
Manage the Secret Server migration to the Delinea Platform. |
delinea.platform/identity/radius/administer |
Administer Remote Password Changing Settings |
Turn Heartbeat and Remote Password Changing on and off globally. Also allows users to create new password changers and install password changing agents on remote machines. |
delinea.vault/secretserver/administration/remotepasswordchanging/administer |
Administer SSH Cipher Suite |
View and edit the SSH Cipher Suite. |
delinea.vault/secretserver/administration/sshciphersuite/administer |
Administer SSH Menus |
Create and edit SSH Menus, used in allowlisting commands that can be used on a SSH session. |
delinea.vault/secretserver/administration/sshmenus/administer |
Administer Secret Encryption Key Rotation |
Start a process that rotates the Secret encryption keys. |
delinea.vault/secretserver/administration/encryptionkeys/rotate |
Administer Secret Policy |
Create and edit Secret Policies. |
delinea.vault/secretserver/administration/secretpolicy/administer |
Administer Secret Server Configuration |
View and edit general configuration options. For example, a user with this role permission can turn on Force HTTPS/SSL and disable Allow Remember Me. |
delinea.vault/secretserver/administration/configuration/administer |
Administer Secret Server Data |
Manage metadata fields and sections added to secrets and users in Secret Server. |
delinea.vault/secretserver/administration/metadata/administer |
Administer Secret Server Folders |
View, edit, create, move, and delete folders. Users still need the relevant view, edit, and owner permissions on the folders to perform these tasks. |
delinea.vault/secretserver/administration/folders/administer |
Administer Secret Server Lists |
Add, remove, and modify lists and list contents in Admin > Lists. |
delinea.vault/secretserver/administration/lists/administer |
Administer Secret Server Maintenance |
Administer Secret Server maintenance. |
delinea.vault/secretserver/administration/maintenancemode/administer |
Administer Secret Server Password Requirements |
View and edit character sets and password requirements. |
delinea.vault/secretserver/administration/passwordrequirements/administer |
Administer Secret Server Pipelines |
Create, edit, and remove event pipelines and event pipeline policies. |
delinea.vault/secretserver/administration/pipelines/administer |
Administer Secret Server Reports |
View, edit, delete, and create reports. Also allows users to customize report categories. |
delinea.vault/secretserver/administration/reports/administer |
Administer Secret Server Scripts |
View, edit, and add PowerShell, SQL, and SSH scripts on the Scripts Administration page. |
delinea.vault/secretserver/administration/scripts/administer |
Administer Secret Server Security Configuration |
View and edit security configuration options in Secret Server. Currently, these include enabling FIPS compliance mode and protecting the encryption key. Formerly Administer Security Configuration. |
delinea.vault/secretserver/administration/securityconfiguration/administer |
Administer Secret Server SSH Proxy Configuration |
View and edit SSH Proxy settings. |
delinea.vault/secretserver/administration/proxyingconfiguration/administer |
Administer Secret Server System Logs |
View and clear the System Log, which shows general diagnostics information for Secret Server. |
delinea.vault/secretserver/administration/systemlog/administer |
Administer Secret Server Teams |
Create, delete, and view all teams. |
delinea.vault/secretserver/administration/teams/administer |
Administer Secret Templates |
View, edit, disable, and create secret templates. |
delinea.vault/secretserver/administration/secrettemplate/administer |
Administer Workflows |
Manage workflows (advanced access management). |
delinea.vault/secretserver/administration/workflows/administer |
Advanced Import |
Import secrets from an XML file. Users with the this permission can import groups, folders, site connectors, sites, and secret templates, without having to create a secret. Users must have the Secret Server permissions needed for the objects listed in the XML. |
delinea.vault/secretserver/administration/import/advancedimport/allow |
Allow List Secret Access For Assigning Policy |
Users with list access to a secret can assign policies. Users need the view permission if they do not have this one. |
delinea.vault/secretserver/administration/secretpolicy/listsecretaccessforassigningpolicy/allow |
Assign Secret Policy |
Assign Secret Policies to folders and secrets. |
delinea.vault/secretserver/secretpolicy/assign |
Assign Secret Server Pipelines |
Assign an event pipeline policy to secret policies, or folders. |
delinea.vault/secretserver/administration/pipelines/assign |
Audit Secret Server Session Recordings |
Users with at least List Access permission on a secret can access the session recording of the secret. Administrators do not have this permission by default. |
delinea.vault/secretserver/secret/sessionrecording/auditor |
Browse Secret Server Reports |
Access reports restricted by permissions. Permissions are configurable at the category and report levels and share a similar inheritance model to secrets and folders. You can define users or groups with view or edit permissions for each category or report. |
delinea.vault/secretserver/administration/reports/browse |
Bypass Direct API Authentication Restriction |
Ignore the PreventDirectApiAuthentication advanced setting and log in through the API with a non-application account |
delinea.vault/secretserver/user/directapiauthenticationrestriction/bypass |
Bypass SAML Login |
Log in with local account without using SAML (Secret Server specific). |
delinea.vault/secretserver/user/samllogin/bypass |
Copy Secret |
Copy secrets when the user also has Own Secret role permission. |
delinea.vault/secretserver/secret/copy |
Create External Vault Links |
Link external vaults in Secret Server. |
delinea.vault/secretserver/externalvault/create |
Create Root Folders in Secret Server |
Create new folders at the root level of the folder structure. |
delinea.vault/secretserver/administration/folders/rootfolders/create |
Deactivate Secret |
Mark secrets as deactivated. |
delinea.vault/secretserver/secret/deactivate |
Deactivate a Secret within a Report |
Run the Delete Secrets action from a report. |
delinea.vault/secretserver/administration/reports/secretfromreport/deactivate |
Download Auto Export |
View all automatic export tabs and download exports from cloud storage (Secret Server Cloud only). |
delinea.vault/secretserver/administration/autoexport/download |
Edit Secret |
Without this permission, a user cannot edit secrets, regardless of the secret permission. |
delinea.vault/secretserver/secret/update |
Enable Unlimited Administrator in Secret Server |
Turn on Unlimited Admin Mode. When this mode is enabled, users with the Unlimited Administrator role permission can view and edit all secrets in the system, regardless of permissions. You can assign Enable Unlimited Administrator in Secret Server to one user and Unlimited Administrator to another user. This would require one user to turn on the mode, which enables another user to view and edit secrets. |
delinea.vault/secretserver/administration/unlimitedadmin/administer |
Erase Secret |
Permanently erase a secret (as opposed to deactivate a secret, which is reversible). |
delinea.vault/secretserver/secret/delete |
Expire Secrets from Reports |
Expire secrets listed in a report. |
delinea.vault/secretserver/administration/reports/secretsfromreport/expire |
Launch Secret in Secret Server |
Launch a secret. Previously, a user could launch a secret if their user role had the View Secret permission. As of Version 11.5, a user needs this permission to launch. A user will also need the Secret Launch Remote Access (Platform) permission to be able to launch. |
delinea.vault/secretserver/secret/launch |
Own Secret |
Perform advanced tasks on secrets the user “owns,” such as configuring expiration schedules, configuring the web launcher, converting secret template, and copying secrets. |
delinea.vault/secretserver/secret/own |
Personal Folder in Secret Server |
Have personal folder when the global personal folders configuration options is enabled. |
delinea.vault/secretserver/user/personalfolder/allow |
Run Auto Export |
View all automatic export tabs and run the export manually by clicking the Run Export button. |
delinea.vault/secretserver/administration/autoexport/run |
Run Disaster Recovery Replication |
Initiate or test data replication. |
delinea.vault/secretserver/administration/disasterrecovery/datareplication/run |
Run Secret Server Scripts |
Separates privileges in script management. Holders of the View Scripts role permission cannot execute test runs of scripts, and this permission must be assigned to perform this task. |
delinea.vault/secretserver/administration/scripts/run |
Secret Force Check In |
Force a secret that is checked out by another user to be checked in. |
delinea.vault/secretserver/secret/checkin/override |
Secret Server Web Services Impersonate |
Send an approval request to act as another user within their organization when accessing Secret Server programmatically. Administrators do not have this permission by default. |
delinea.vault/secretserver/user/impersonatewebservices/allow |
Unlimited Administrator in Secret Server |
View and edit all secrets in the system, regardless of permissions, when Unlimited Admin Mode is on. Another user with the Enable Unlimited Administrator in Secret Server role permission still needs to turn this mode on. |
delinea.vault/secretserver/administration/unlimitedadmin/unlimitedadministrator |
Unrestricted by Teams in Secret Server |
View all users, groups, and sites, regardless of team affiliation. Essentially, teams do not exist for the users with this permission, and the Teams page is not available to them. The default user role has this permission. |
delinea.vault/secretserver/user/unrestrictedbyteams/allow |
User Audit Expire Secrets |
View the User Audit report, which shows all secrets accessed by a particular user in a specified date range. Also allows the user to force expiration on all these secrets, which would make Secret Server automatically change the password. |
delinea.vault/secretserver/administration/useraudit/expiresecrets |
View Advanced Secret Options |
View the Remote Password Changing, Security, and Dependency tabs on a Secret they have access to. |
delinea.vault/secretserver/secret/advancedoptions/read |
View Auto Export |
View all automatic export tabs. |
delinea.vault/secretserver/administration/autoexport/read |
View Devops Secret Vault Tenants |
View (not edit) the DSV tenants set to synchronize with Secret Server. |
delinea.vault/secretserver/administration/devopssecretvault/tenants/read |
View Disaster Recovery |
View configuration, logs and audits for Disaster Recovery. |
delinea.vault/secretserver/administration/disasterrecovery/read |
View Distributed Engine Configuration |
View the Distributed Engine configuration. |
delinea.vault/secretserver/administration/distributedengine/read |
View DoubleLock Keys |
View which DoubleLock keys exist in the system. |
delinea.vault/secretserver/administration/doublelockkeys/read |
View Dual Control Settings |
View configured Dual Control settings for reports and secret sessions. |
delinea.vault/secretserver/administration/dualcontrol/read |
View Enterprise Objects |
View user and secret metadata. |
delinea.vault/secretserver/administration/enterpriseobjects/read |
View Event Subscriptions |
View event subscriptions. |
delinea.vault/secretserver/administration/eventsubscriptions/read |
View Export |
View the export log of the system to see when users exported secrets. Does not allow a user to export. |
delinea.vault/secretserver/administration/export/read |
View External Vaults |
View external vaults in Secret Server. |
delinea.vault/secretserver/externalvault/read |
View HSM Configuration |
View the Hardware Security Module (HSM) configuration settings. |
delinea.vault/secretserver/administration/hsm/read |
View Inactive Secrets |
View secrets that have been deleted in the system. |
delinea.vault/secretserver/secret/inactivesecrets/read |
View Jumpbox |
View the details of all jump server routes in the Admin Jumpbox Route page but not make any changes. |
delinea.vault/secretserver/administration/jumpboxroutes/read |
View Key Management |
View the Key Management settings (Secret Server Cloud only). |
delinea.vault/secretserver/administration/keymanagement/read |
View Launcher Password on Secrets |
Unmask the password on the view screen of secrets with a launcher. Typically, this includes Web Passwords, Active Directory accounts, Local Windows accounts, and Linux accounts. |
delinea.vault/secretserver/secret/launcherpassword/read |
View Platform Integration |
View the Secret Server connection to the Delinea Platform. |
delinea.vault/secretserver/administration/platformintegration/read |
View Remote Password Changing Settings |
View, but not edit, heartbeat and remote password changing settings. |
delinea.vault/secretserver/administration/remotepasswordchanging/read |
View SSH Cipher Suite |
View (only) the SSH Cipher Suite. |
delinea.vault/secretserver/administration/sshciphersuite/read |
View SSH Menus |
View existing SSH menus, used in allow-listing commands that can be used on a SSH session. |
delinea.vault/secretserver/administration/sshmenus/read |
View Secret |
View secret. Without this permission, a user cannot view secrets, regardless of the secret permission. |
delinea.vault/secretserver/secret/read |
View Secret Audit |
View Secret Audit. |
delinea.vault/secretserver/secret/audit/read |
View Secret Password and Private Key History |
View the history of passwords, private keys, or passphrases in both old and new UI. |
delinea.vault/secretserver/secret/passwordandprivatekeyhistory/read |
View Secret Policy |
View, but not edit, secret policies. |
delinea.vault/secretserver/administration/secretpolicy/read |
View Secret Server Advanced Dashboard |
View advanced dashboard. Without this permission, users can only view the basic dashboard. |
delinea.vault/secretserver/user/advanceddashboard/read |
View Secret Server Configuration |
View, but not edit, general configuration settings. |
delinea.vault/secretserver/administration/configuration/read |
View Secret Server Folders |
View, but not edit, folders in the system. |
delinea.vault/secretserver/administration/folders/read |
View Secret Server Lists |
View lists and list contents in Admin > Lists. |
delinea.vault/secretserver/administration/lists/read |
View Secret Server Password Requirements |
View character sets and password requirements. |
delinea.vault/secretserver/administration/passwordrequirements/read |
View Secret Server Pipelines |
View event pipeline policies and policy activities. |
Delinea.vault/secretserver/administration/pipelines/read |
View Secret Server Reports |
View, but not edit, reports. |
delinea.vault/secretserver/administration/reports/read |
View Secret Server Scripts |
View PowerShell, SQL, and SSH scripts on the Scripts Administration page. |
delinea.vault/secretserver/administration/scripts/read |
View Secret Server Security Configuration |
View the security configuration of Secret Server. Formerly View Security Configuration. |
delinea.vault/secretserver/administration/securityconfiguration/read |
View Secret Server Security Hardening Report |
View the Security Hardening Report. |
delinea.vault/secretserver/administration/securityhardeningreport/read |
View Secret Server Session Recording Audit |
See who has viewed a session recording in the secret audit. |
delinea.vault/secretserver/administration/sessionrecording/audit/read |
View Secret Server SSH Proxy Configuration |
View, but not edit, SSH Proxy settings. |
delinea.vault/secretserver/administration/proxyingconfiguration/read |
View Secret Server System Logs |
View (only) the System Log, which shows general diagnostics information for Secret Server. |
delinea.vault/secretserver/administration/systemlog/read |
View Secret Server Teams |
View all teams. This is essentially a read-only Administer Teams. |
delinea.vault/secretserver/administration/teams/read |
View Secret Server Templates |
View, but not edit, Secret Templates. |
delinea.vault/secretserver/administration/secrettemplate/read |
View Secret Session Recording |
View recorded sessions within Secret Server. |
delinea.vault/secretserver/administration/sessionrecording/read |
View Unlimited Administrator Audit |
View the Unlimited Admin Mode configuration and the Unlimited Admin Mode audit log. Formerly View Unlimited Admin Configuration. |
delinea.vault/secretserver/administration/unlimitedadmin/read |
View User Audit Report |
View, but not edit, the User Audit Report. |
delinea.vault/secretserver/administration/useraudit/report/read |
View Workflows |
View, but not edit, workflows used for multi-tier secret-access approvals and secret erase requests. |
delinea.vault/secretserver/administration/workflows/read |