Review Team Permissions After Upgrading to Delinea Platform

Overview

Secret Server includes a feature called user teams that provides visibility isolation. Administrators can create user teams that bundle users and groups together under shared visibility rules, restricting their visibility to specific:

users
groups
sites

When user teams are enabled, a team-restricted user can only see users, groups, and sites assigned to their team.

For example, a large organization can restrict visibility by department, or a managed service provider (MSP) can isolate their customers from seeing other customers' user accounts.

For more information on setting up teams, see User Teams Overview.

How Platform Permissions Affect Team Restrictions

After upgrading to Delinea Platform, administrators should review role assignments for team-restricted users. Some Platform permissions operate at the tenant level and may broaden user access beyond team boundaries.

After upgrading from Secret Server Cloud to Delinea Platform, Secret Server roles and permissions are managed centrally through Delinea Platform. All existing secrets, data, and permissions remain intact.

However, some Platform permissions operate at the tenant level rather than the team level. If a team-restricted user is granted one of these permissions, they may gain visibility into data, users, or infrastructure outside their team boundary.

Many of the permissions listed below are new to Delinea Platform and did not exist prior to the upgrade.

Permissions That Bypass Team Restrictions

The following permissions override team restrictions entirely. Only grant these to global administrators who require unrestricted access.

Unrestricted Access Across Teams

This permission exempts users from all team restrictions. Users with this permission can view all users, groups, and sites—regardless of team affiliation.

Permission: delinea.vault/secretserver/user/unrestrictedbyteams/allow

Administer Teams

Users with this permission can create, edit, and view all teams—including teams they do not belong to. This grants full visibility into team membership and organizational structure.

Permission: delinea.vault/secretserver/administration/teams/administer

Unlimited Vault Access

Unlimited vault access temporarily bypasses all permission checks, including team restrictions. When a user with this permission enables it, they have unrestricted access to every object in the system until they disable it.

Permission: delinea.vault/secretserver/administration/unlimitedadmin/unlimitedadministrator

Infrastructure Permissions

The following permissions allow users to view or manage infrastructure components such as distributed engines, sites, proxying, discovery, and disaster recovery. These components are scoped to sites, not teams. Users with these permissions gain visibility across all sites, including sites outside their team.

Distributed Engines

Distributed engines execute operations that require network access to target systems. Users with these permissions can view or manage all distributed engines and their status across all sites.

Permission	Description
`delinea.vault/secretserver/administration/distributedengine/administer`	Administer all distributed engines
`delinea.vault/secretserver/administration/distributedengine/read`	View all distributed engines and their status

Engine Pool and Sites

These permissions are new to Delinea Platform.

Engine pools define how distributed engines are grouped and assigned to sites. Users with these permissions can view or manage the engine pool and site topology across the tenant.

Permission	Description
`delinea.enginepool/engine/create`	Create engines in the engine pool
`delinea.enginepool/engine/list`	List all engines in the engine pool
`delinea.enginepool/site/list`	List all sites
`delinea.enginepool/site/manage`	Manage all sites

Remote Access Engines and Sites

These permissions are new to Delinea Platform.

Privileged Remote Access (PRA) uses its own engine and site infrastructure. Users with these permissions can view or manage PRA engine and site configuration across the tenant.

Permission	Description
`delinea.platform/administration/remoteaccess/engine/activate`	Activate a PRA engine
`delinea.platform/administration/remoteaccess/engine/create`	Create a PRA engine
`delinea.platform/administration/remoteaccess/engine/delete`	Delete a PRA engine
`delinea.platform/administration/remoteaccess/engine/update`	Update a PRA engine
`delinea.platform/administration/remoteaccess/site/create`	Create a PRA site
`delinea.platform/administration/remoteaccess/site/delete`	Delete a PRA site
`delinea.platform/administration/remoteaccess/site/read`	View PRA sites
`delinea.platform/administration/remoteaccess/site/update`	Update a PRA site

Proxying Configuration

SSH and RDP proxying is configured at the site level. Users with this permission can manage proxy configuration for all sites, including sites outside their team.

Permission: delinea.vault/secretserver/administration/proxyingconfiguration/administer

Disaster Recovery

Disaster recovery replication is configured at the site level. Users with this permission can administer replication settings for all sites.

Permission: delinea.vault/secretserver/administration/disasterrecovery/administer

Discovery

Discovery scans are scoped to sites, not teams. Users with these permissions can view or manage discovery configuration across all sites.

Permission	Description
`delinea.discovery/discovery/administer`	Administer discovery
`delinea.discovery/discovery/read`	View discovery results

Remote Password Changing

Remote password changing is configured at the site level. Users with these permissions can view or manage remote password changing configuration for all sites.

Permission	Description
`delinea.vault/secretserver/administration/remotepasswordchanging/administer`	Administer remote password changing
`delinea.vault/secretserver/administration/remotepasswordchanging/read`	View remote password changing configuration

Configuration and Platform Permissions

The following permissions allow users to view or manage Secret Server configuration, Platform connectivity, and global system objects. These settings apply across the tenant and are not scoped to teams.

Secret Server Configuration

Secret Server configuration includes global settings that affect all users and sites. Users with these permissions can view or manage general configuration options for the tenant.

Permission	Description
`delinea.vault/secretserver/administration/configuration/administer`	Administer general configuration options
`delinea.vault/secretserver/administration/configuration/read`	View general configuration options

Platform Integration and Migration

Platform integration settings control how Secret Server connects to Delinea Platform. Users with these permissions can view or manage the Platform connection and migration for the tenant.

Permission	Description
`delinea.vault/secretserver/administration/platformintegration/administer`	Administer the Secret Server connection to Delinea Platform
`delinea.vault/secretserver/administration/platformmigration/allow`	Administer the Secret Server migration to Delinea Platform
`delinea.vault/secretserver/administration/platformintegration/read`	View the Secret Server connection to Delinea Platform

Lists

Lists are global configuration objects used across the tenant. Users with these permissions can view or manage list definitions and contents.

Permission	Description
`delinea.vault/secretserver/administration/lists/administer`	Administer lists and list contents
`delinea.vault/secretserver/administration/lists/read`	View lists and list contents

Bulk Operations

Bulk operations can affect objects across team boundaries. Users with this permission can administer bulk operations across the tenant.

Permission: delinea.vault/secretserver/administration/bulkoperations/administer

Identity and Access Permissions

The following permissions allow users to view or manage user accounts, groups, roles, and related identity configurations across the tenant. Users with these permissions gain visibility into identities outside their team.

User and Group Management

User and group management operates at the tenant level. Users with these permissions can create, manage, or import user accounts and groups across the tenant.

Permission	Description
`delinea.platform/identity/admin/manage`	Create and manage user accounts
`delinea.vault/secretserver/administration/users/applicationaccounts/create`	Create application accounts
`delinea.vault/secretserver/administration/identity/usersandgroups/add`	Import users and groups from external directories

Role Assignments

Role assignments determine what permissions users and groups have across the tenant. Users with these permissions can assign, remove, or view role assignments for users and groups—including users and groups from other teams.

Permission	Description
`delinea.platform/administration/groups/roleassignment/create`	Assign roles to groups
`delinea.platform/administration/users/roleassignment/create`	Assign roles to users
`delinea.platform/administration/roles/update`	Edit role definitions and view role membership
`delinea.platform/administration/groups/roleassignment/delete`	Remove role assignments from groups
`delinea.platform/administration/users/roleassignment/delete`	Remove role assignments from users
`delinea.platform/administration/groups/roleassignment/read`	View role assignments for groups
`delinea.platform/administration/users/roleassignment/read`	View role assignments for users

View Teams

This permission provides read-only access to the same team data available through the Administer Teams permission. Users with this permission can view all teams and their configuration, including teams they do not belong to.

Permission: delinea.vault/secretserver/administration/teams/read

Dual Control

Dual control configuration includes which users are designated as approvers. Users with this permission can see approver identities from other teams.

Permission: delinea.vault/secretserver/administration/dualcontrol/administer

Quantum Lock

Quantum Lock key management includes which users hold encryption keys. Users with this permission can see key holder identities from other teams.

Permission: delinea.vault/secretserver/administration/doublelockkeys/administer

Federation Profiles

Federation profiles configure identity provider integrations and user mappings at the tenant level. Users with these permissions can view or manage federation profiles across the tenant.

Permission	Description
`delinea.platform/administration/federation/profile/create`	Create federation profiles
`delinea.platform/administration/federation/profile/delete`	Delete federation profiles
`delinea.platform/administration/federation/profile/read`	View federation profiles
`delinea.platform/administration/federation/profile/update`	Update federation profiles

Application Registration

These permissions are new to Delinea Platform.

Application registrations and credentials are managed at the tenant level. Users with these permissions can view or manage application registrations across the tenant.

Permission	Description
`delinea.registration/registration/approve`	Approve application registrations
`delinea.registration/registration/application/create`	Create application registrations
`delinea.registration/registration/application/credential/basic/create`	Create basic credentials for applications
`delinea.registration/registration/managedapplication/create`	Create managed application registrations
`delinea.registration/registration/application/delete`	Delete application registrations
`delinea.registration/registration/managedapplication/delete`	Delete managed application registrations
`delinea.registration/registration/application/list`	List application registrations
`delinea.registration/registration/managedapplication/list`	List managed application registrations
`delinea.registration/registrationcode/registration/list`	List registrations for a registration code
`delinea.registration/registration/managedapplication/retrieve`	Retrieve managed application registrations
`delinea.registration/registration/application/update`	Update application registrations
`delinea.registration/registration/managedapplication/update`	Update managed application registrations
`delinea.registration/registration/application/read`	View application registration details
`delinea.registration/registration/managedapplication/read`	View managed application registration details
`delinea.registration/registration/read`	View registration details

Inbox

This permission is new to Delinea Platform.

Inbox notifications and messages may reference users from other teams. Users with this permission can manage notification settings and messages across the tenant.

Permission: delinea.inbox/inbox/administer

Entitlement Management

This permission is new to Delinea Platform.

Entitlements determine user access at the tenant level. Users with this permission can grant and revoke access, with visibility into user identities across teams.

Permission: delinea.platform/access/entitlements/manage

Export

Export logs contain user activity information that may reference users from other teams. Users with these permissions can view or manage export functionality across the tenant.

Permission	Description
`delinea.vault/secretserver/administration/export/administer`	Administer export functionality
`delinea.vault/secretserver/administration/export/read`	View export records

Remote Access Permissions

Remote access application and session features are not scoped to teams. Users with these permissions can view or manage remote application definitions and launch sessions across the tenant.

For remote access engine and site infrastructure permissions, see Infrastructure Permissions.

Permission	Description
`delinea.platform/remoteaccess/remoteapplication/create`	Create a remote application definition
`delinea.platform/remoteaccess/webapplication/create`	Create a web application definition
`delinea.platform/remoteaccess/remoteapplication/delete`	Delete a remote application definition
`delinea.platform/remoteaccess/webapplication/delete`	Delete a web application definition
`delinea.platform/remoteaccess/session/launch`	Launch a remote access session
`delinea.platform/remoteaccess/webapplication/launch`	Launch a web application
`delinea.platform/remoteaccess/remoteapplication/update`	Update a remote application definition
`delinea.platform/remoteaccess/webapplication/update`	Update a web application definition
`delinea.platform/remoteaccess/remoteapplication/read`	View remote application definitions
`delinea.platform/remoteaccess/webapplication/read`	View web application definitions

Event and Automation Permissions

The following permissions allow users to view or manage event-driven features such as subscriptions, pipelines, and automatic exports. These features operate across the tenant and are not scoped to teams.

Event Subscriptions

Event subscriptions respond to system-wide events. Users with these permissions can view or manage event subscriptions across the tenant.

Permission	Description
`delinea.vault/secretserver/administration/eventsubscriptions/administer`	Administer event subscriptions
`delinea.vault/secretserver/administration/eventsubscriptions/read`	View event subscriptions

Pipelines

Event pipelines automate actions in response to events and can be assigned to secret policies and folders. Users with these permissions can view or manage pipelines across the tenant.

Permission	Description
`delinea.vault/secretserver/administration/pipelines/administer`	Administer event pipelines and pipeline policies
`delinea.vault/secretserver/administration/pipelines/assign`	Assign pipeline policies to secret policies or folders
`delinea.vault/secretserver/administration/pipelines/read`	View event pipeline policies and policy activities

Automatic Export

Automatic export creates scheduled data exports that may contain information from across team boundaries. Users with these permissions can view or manage automatic export configuration across the tenant.

Permission	Description
`delinea.vault/secretserver/administration/autoexport/administer`	Administer automatic export configuration
`delinea.vault/secretserver/administration/autoexport/download`	Download automatic export files
`delinea.vault/secretserver/administration/autoexport/run`	Run automatic exports manually
`delinea.vault/secretserver/administration/autoexport/read`	View automatic export configuration

Workflow and Approval Permissions

The delinea.workflow permissions are new to Delinea Platform.

Approval workflows coordinate access requests between users. Workflow configurations and approval requests contain user identity information that may include users from other teams. Users with these permissions can view or manage workflows and participate in approval processes across the tenant.

Permission	Description
`delinea.vault/secretserver/administration/workflows/administer`	Administer Secret Server workflow configurations
`delinea.workflow/approvals/update`	Approve or deny access requests
`delinea.workflow/approvals/create`	Create access requests
`delinea.workflow/approvaltemplates/manage`	Manage approval workflow templates
`delinea.workflow/approvals/manage`	Manage approval workflows
`delinea.workflow/approvals/delete`	Revoke access approvals
`delinea.workflow/approvals/read`	View access requests and approvals
`delinea.workflow/approvaltemplates/read`	View approval workflow templates
`delinea.vault/secretserver/administration/workflows/read`	View Secret Server workflow configurations

Policy Permissions

These permissions are new to Delinea Platform.

Granular commands define policy-level restrictions on operations across the tenant. Users with these permissions can view or manage granular command definitions.

Permission	Description
`delinea.policy/commands/create`	Create granular commands
`delinea.policy/commands/read`	View granular commands

Monitoring and Reporting Permissions

The following permissions allow users to view or manage audit data, analytics, collections, and reports. These features aggregate data across teams and sites. Users with these permissions gain visibility into activity and configuration outside their team.

Audit

Audit data includes session recordings, activity events, and secret access logs across the tenant. Users with these permissions can view audit data for all users and sites, including users and sites outside their team.

Permission	Description
`delinea.vault/secretserver/secret/sessionrecording/auditor`	Audit session recordings for secrets the user can access
`delinea.platform/audit/event/read`	View all activity events across the tenant
`delinea.platform/audit/sessionrecording/admin/read`	View all session recordings
`delinea.vault/secretserver/secret/audit/read`	View secret access audit logs
`delinea.audit/sessionrecording/readall`	View session monitoring data

Collections

These permissions are new to Delinea Platform.

Collections can span teams and sites. Users with these permissions can view or manage collections across the tenant.

Permission	Description
`delinea.platform/collections/manage`	Manage collections across the tenant
`delinea.platform/collections/read`	View collections across the tenant

Security Analytics

Security analytics aggregate activity data across sites and users. Users with these permissions can view or manage security analytics configuration across the tenant.

Permission	Description
`delinea.analytics/settings/administer`	Administer security analytics
`delinea.analytics/settings/read`	View security analytics

Identity Threat Detection and Response

These permissions are new to Delinea Platform.

Identity threat detection and response (ITDR) analyzes risk and inventory data across the tenant. Users with these permissions can view or manage ITDR data.

Permission	Description
`delinea.itp/riskanalysis/manage`	Manage ITDR risk analysis
`delinea.itp/inventory/view`	View ITDR inventory

Asset Inventory

This permission is new to Delinea Platform.

The computer inventory spans all sites. Users with this permission can view the computer inventory across the tenant.

Permission: delinea.assets/computer/view

System Logs

System logs contain diagnostic information for the entire Secret Server instance. Users with these permissions can view or manage system logs across the tenant.

Permission	Description
`delinea.vault/secretserver/administration/systemlog/administer`	Administer system logs
`delinea.vault/secretserver/administration/systemlog/read`	View system logs

Webhooks

These permissions are new to Delinea Platform.

Webhooks send event data to external endpoints. Users with these permissions can view or manage webhook configurations across the tenant.

Permission	Description
`delinea.platform/webhooks/manage`	Manage webhooks
`delinea.platform/webhooks/read`	View webhooks

Reporting

Reports can aggregate data across teams and sites. Users with these permissions can view or manage reports with tenant-wide scope.

Permission	Description
`delinea.vault/secretserver/administration/reports/administer`	Administer Secret Server reports
`delinea.platform/reports/view`	View reports

Best Practices

When assigning roles to team-restricted users after upgrading to Delinea Platform:

Audit user permissions carefully. Verify that team-restricted users only receive the visibility they need, because even read-only permissions can expose cross-team data.
Document exceptions. If a team-restricted user intentionally requires a cross-team permission, record the business justification to maintain a clear audit trail.
Reserve infrastructure permissions for global administrators. Only assign permissions for distributed engines, sites, discovery, and remote password changing to administrators who manage infrastructure across the organization, because these permissions provide visibility across all sites.
Review roles for cross-team permissions. Verify that upgraded Delinea Platform roles do not unintentionally grant permissions listed in this document, to avoid undermining team restrictions.
Test with a team-restricted account. After the upgrade, sign in as a team-restricted user to verify that team isolation is working as expected.
Use the principle of least privilege. Only grant the permissions each user needs to perform their specific responsibilities, to minimize cross-team visibility.

Review Team Permissions After Upgrading to Delinea Platform

Overview

How Platform Permissions Affect Team Restrictions

Permissions That Bypass Team Restrictions

Unrestricted Access Across Teams

Administer Teams

Unlimited Vault Access

Infrastructure Permissions

Distributed Engines

Engine Pool and Sites

Remote Access Engines and Sites

Proxying Configuration

Disaster Recovery

Discovery

Remote Password Changing

Configuration and Platform Permissions

Secret Server Configuration

Platform Integration and Migration

Lists

Bulk Operations

Identity and Access Permissions

User and Group Management

Role Assignments

View Teams

Dual Control

Quantum Lock

Federation Profiles

Application Registration

Inbox

Entitlement Management

Export

Remote Access Permissions

Event and Automation Permissions

Event Subscriptions

Pipelines

Automatic Export

Workflow and Approval Permissions

Policy Permissions

Monitoring and Reporting Permissions

Audit

Collections

Security Analytics

Identity Threat Detection and Response

Asset Inventory

System Logs

Webhooks

Reporting

Best Practices

See Also