Adding Users

You can add local users directly to the platform. You can also add non-local users from Active Directories and Federation providers.

Adding Local Users

Adding Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. local users to the platform is not considered a best practice for privileged access management. Local user accounts should be added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. only rarely, and for very specific purposes. For example, you might need to add a local user account for someone who needs to try out platform functionality for a very limited time. Vendors are also added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. as local users.

Typically, the Delinea Platform is used by a corporate enterprise to manage privileged access for their employees and contractors. A local user would typically be added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. by a platform administrator, but a platform administrator is not legally authorized Authorization is the process of verifying what specific applications, files, and data a user has access to. to formally establish a person's identity Identity is the process of identifying a particular user, usually by providing a name, email address, phone number, or username. This is the process of someone saying that they are a certain person.. Only human resources personnel are legally authorized Authorization is the process of verifying what specific applications, files, and data a user has access to. to formally establish a new employee's identity Identity is the process of identifying a particular user, usually by providing a name, email address, phone number, or username. This is the process of someone saying that they are a certain person., for example by confirming their proof of residency, asking to see their driver's license or work visa, and taking their photograph. And only human resources can authorize Authorization is the process of verifying what specific applications, files, and data a user has access to. that person to be added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. as a new employee to the corporate Active Directory, and to authorize Authorization is the process of verifying what specific applications, files, and data a user has access to. their removal from the employee Active Directory.

Local users cannot be converted to external (Active Directory or federated) users.

(Migration customers only) After the Connector is installed and Active Directory is set up on the platform, do not add an existing Secret Server The Delinea secrets vault. Delinea Secret Server is an enterprise-grade secrets storage vault for securely storing, managing, and controlling access to privileged credentials and other sensitive data. See Secret Server on Platform, Secret Server Cloud (SSC), and Secret Server on Premises (SSOP) for distinctions. user as a local platform user, because doing so could cause synchronization issues between the platform and Secret Server The Delinea secrets vault. Delinea Secret Server is an enterprise-grade secrets storage vault for securely storing, managing, and controlling access to privileged credentials and other sensitive data. See Secret Server on Platform, Secret Server Cloud (SSC), and Secret Server on Premises (SSOP) for distinctions..

Add Local Users

1. Click Access from the left navigation, then select Users.

2. The Users page displays each user on a row, with columns showing basic user information including the user's Display Name, Email, Source, Status, Last Invite, and Last Login.

3. Click Add Local User on the right to create a new local user.

4. On the Add local user page, fill in the required fields for Login name, Email, and Display name,

   .

   The checkbox Send email invitation for user profile setup is selected by default. If you leave this option selected, the user will automatically receive an email containing an Accept button, with a one-time password embedded in the button. When the user clicks the button, they are taken to the platform and automatically logged A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in with the one-time password. They are then required to immediately change the password to log A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in again.

   

   If you choose to deselect Send email invitation for user profile setup, a panel opens where you can set a password for the user either manually or automatically. The user will not receive an email invitation to log A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the platform in this case, and you will need to copy and save the password and deliver it to the user some other way.

5. Click Next.

6. The Advanced Settings window appears. The default Membership Type is set to Employee. This can later be changed to Vendor. See Advanced Settings for more information. After you have selected the correct membership type, click Next.

   

7. Add the new user to a group, if needed.

   .

Bulk Importing Local Users

With the bulk import feature, administrators can import a large number of local users in a single operation, rather than manually adding Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. each user one by one to the Delinea Directory. This feature saves administrators time and effort by eliminating repetitive data entry and reducing errors. Additionally, it supports a CSV format template, allowing for offline preparation of user data, which can be efficiently organized before import.

The platform does not natively support bulk import and synchronization of all users from an external source such as AD Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network., or from a federation service. Platform administrators can find AD Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. users to add to the platform by performing filtered searches through external AD Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. directories, but federated directories cannot be searched.

Workflow:

Steps:

1. Log A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the platform.

2. Click Access from the left navigation, then select Users.

3. In the Users section, click Import Users.

4. Download the provided CSV template by clicking the respective option.

5. Open the downloaded CSV template and update it with the user account information you wish to add. Refer to the following guidelines:

   • All required fields must be present.

   • Each field must have a header.

   • Headers must match exactly as shown in the following table, including uppercase characters and spaces.

   • Attributes not listed in the following table must be defined in Settings > User attributes > Additional attributes. If the additional attributes are not defined, they will not be uploaded. The attribute names you define on the Additional Attributes page must exactly match the corresponding headers in the CSV file.
     
     

   • Default Fields	Rules
     Login Name	Required - Enter the full username, including the login suffix, in the form <login name>@<loginsuffix>. The login suffix must already exist.
     Email Address	Required - You can specify one email address only. The email address must be of a valid form. Plain text strings, such as “N/A” or “unavailable”, are not allowed.
     Display Name	Optional - You can enter the display name in Excel using either format: first last or last, first. If you are editing the CSV file, use quotes if you specify the last name first (for example, "last, first"). This field is optional, but highly recommended.
     Description	Optional - A description of the user. Do not use punctuation. The limit is 128 characters.
     Office Number Mobile number Home number	Optional - You must enter the area code. You can enter domestic U.S. numbers in the following forms: 1234567890 123-456-7890 To enter an international number, use E.164 number formatting. If you use the phone or text message options for multi-factor authentication Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to prove their identity using two or more different factors, such as something they know (like a password), something they have (like a phone or security token), or something they are (like a fingerprint or facial scan). Even if a password is compromised, MFA can prevent unauthorized access because the attacker would still need to obtain the additional verification methods., the Office and/or Mobile numbers must be accurate. If the numbers are not accurate, the user cannot log A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in.
     Groups	Optional - All regular users are automatically added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. to the Everybody group. You can specify multiple groups. Use commas to separate the groups. If you are editing the CSV file, surround the groups with quotes; for example, "group1,group2,group3". The group must already exist, and the names are case-sensitive. Service users are excluded from the Everybody group.
     Expiration Date	Optional - Enter a date when the user account expires. If you do not set a date, the account does not expire. This field is not in the CSV template.
     Password	Optional - Sets the password for the user. Password requirements are based on the password policy settings in Access > Identity Policies An identity policy determines whether and when a Delinea Platform user is presented with the challenges specified in the associated authentication profile. > [User] > User security > Password settings.
     Require Password Change	Optional - Specifies whether users must change the password upon the first successful login. The supported inputs are: False, f, no, n -- No password change required True, t, yes, y -- Password change required
     Platform User Membership Type	Optional - By default, the membership type is Employee. If you are adding Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. vendors, be sure to change the membership type to Vendor.
     Reports to	Optional - Name of the reporting manager. This field is not in the CSV template.




6. After updating the CSV template, return to the platform to upload the CSV file. Follow the same steps as before if you have exited from the Import Users flow. The file to upload must be: in CSV format, with a max size of 100 KB.

7. Proceed by clicking Next .

8. Review the first 15 records displayed in the preview. Use this opportunity to ensure that the entries are correctly formatted.

9. Once reviewed, click Next to proceed.

10. By default, the option Send email invite for user profile setup will be selected. If you wish to proceed with this option, the user will automatically receive an email invite to log A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. into the platform. They will be prompted to change their password immediately upon login.

11. Finally, click the Import button to initiate the import of the users.

The user import process operates asynchronously and the duration of completion depends on the number of users being added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network.. Following the import, two email messages will be dispatched:

• Bulk import report: Sent to the initiating Admin, this email provides details on the number of new users specified in the file and the successful additions. Additionally, explanations are given for any failed user import.

• Platform Invite: Sent to each newly created user if the "Send email invite for user profile setup" option was chosen. This email contains a link that directs users to the platform, where they can set up a new password unless configured otherwise.

Service Users

Service users are specifically designed for non-interactive, programmatic access to the platform. They are intended for scenarios such as API integrations and automation scripts. Service users are not associated with regular users, and they are intentionally excluded from the predefined Everybody user group.

Key Points:

• Service users are not added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. to the predefined Everybody group. For more information on predefined groups, see Group Management.

• Service users have no permissions by default. Add the user to the appropriate group or role to give it only the permissions it needs for its headless use case.

• Service users cannot be invited like regular users; an administrator must manually create and configure them.

• When a service user is created, a corresponding application account is automatically generated in Secret Server The Delinea secrets vault. Delinea Secret Server is an enterprise-grade secrets storage vault for securely storing, managing, and controlling access to privileged credentials and other sensitive data. See Secret Server on Platform, Secret Server Cloud (SSC), and Secret Server on Premises (SSOP) for distinctions., requiring no additional actions.

• Service users can currently log A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in interactively through the platform UI. In the future, we plan to introduce self-service options, enabling administrators to decide whether service users should log A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in interactively or not.

• MFA Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to prove their identity using two or more different factors, such as something they know (like a password), something they have (like a phone or security token), or something they are (like a fingerprint or facial scan). Even if a password is compromised, MFA can prevent unauthorized access because the attacker would still need to obtain the additional verification methods. is not applicable for non-interactive service users.

Add Service Users

1. Click Access from the left navigation menu.

2. Select Users to view the list of existing users.

3. On the Users page, click More in the top-right corner.

4. From the drop-down menu, select Add service user.
   
   

5. Complete the required fields on the Add service user form:

   • Username: A unique identifier for the service user.

   • Email address: This field is optional.

   • Display name: A descriptive name for the service user, typically reflecting its purpose.

   • Set password: Set a secure password for the service user (Manual or Generated).
     
     

6. Assign the service user to the appropriate group based on its intended role and permissions.
   
   

7. Save the service user details.

8. Verify that the service user appears on the Users list.

9. Click the service user name in the Users list to open the user page and ensure that the user has the correct groups and permissions assigned.