Adding Local User Accounts

Adding local user accounts to the platform is not considered a best practice for privileged access management. Local user accounts should be added only rarely, and for very specific purposes. For example, you might need to add a local user account for someone who needs to try out platform functionality for a very limited time. Vendors are also added as local accounts.

Typically, the Delinea Platform is used by a corporate enterprise to manage privileged access for their employees and contractors. A local user would typically be added by a platform administrator, but a platform administrator is not legally authorized to formally establish a person's identity. Only human resources personnel are legally authorized to formally establish a new employee's identity, for example by confirming their proof of residency, asking to see their driver's license or work visa, and taking their photograph. And only human resources can authorize that person to be added as a new employee to the corporate Active Directory, and to authorize their removal from the employee Active Directory.

Local accounts cannot be converted to external (Active Directory or federated) accounts.

(Migration customers only) After the Connector is installed and Active Directory is set up on the platform, do not add an existing Secret Server user as a local platform user, because doing so could cause synchronization issues between the platform and Secret Server.

To Add a Local User Account

  1. Click Access from the left navigation, then select Users.

  2. The Users page displays each user on a row, with columns showing basic user information including the user's Display Name, Email, Source, Status, Last Invite, and Last Login.

  3. Click Add Local User on the right to create a new local user.

  4. On the Add local user page, fill in the required fields for Login name, Email, and Display name,

    .Alt

    The checkbox Send email invitation for user profile setup is selected by default. If you leave this option selected, the user will automatically receive an email containing an Accept button, with a one-time password embedded in the button. When the user clicks the button, they are taken to the platform and automatically logged in with the one-time password. They are then required to immediately change the password to log in again.

    If you choose to deselect Send email invitation for user profile setup, a panel opens where you can set a password for the user either manually or automatically. The user will not receive an email invitation to log in to the platform in this case, and you will need to copy and save the password and deliver it to the user some other way.

  5. Click Next.

  6. The Advanced Settings window appears. The default Membership Type is set to Employee. This can later be changed to Vendor. See Advanced User Settings for more information. After you have selected the correct membership type, click Next.

  7. Add the new user to a group, if needed.

    .

Bulk Import Local User Accounts

With the bulk import feature, administrators can import a large number of local user accounts in a single operation, rather than manually adding each user one by one to the Delinea Directory. This feature saves administrators time and effort by eliminating repetitive data entry and reducing errors. Additionally, it supports a CSV format template, allowing for offline preparation of user data, which can be efficiently organized before import.

The platform does not natively support bulk import and synchronization of all users from an external source such as AD, or from a federation service. Platform administrators can find AD users to add to the platform by performing filtered searches through external AD directories, but federated directories cannot be searched.

Workflow:

Steps:

  1. Log in to the platform.

  2. Click Access from the left navigation, then select Users.

  3. In the Users section, click Import Users.

  4. Download the provided CSV template by clicking the respective option.

  5. Open the downloaded CSV template and update it with the user account information you wish to add. Refer to the following guidelines:

    • All required fields must be present.

    • Each field must have a header.

    • Headers must match exactly as shown in the following table, including uppercase characters and spaces.

    • Attributes not listed in the following table must be defined in Settings > User attributes > Additional attributes. If the additional attributes are not defined, they will not be uploaded. The attribute names you define on the Additional Attributes page must exactly match the corresponding headers in the CSV file.

    • Default Fields Rules
      Login Name Required - Enter the full username, including the login suffix, in the form <login name>@<loginsuffix>. The login suffix must already exist.
      Email Address Required - You can specify one email address only. The email address must be of a valid form. Plain text strings, such as “N/A” or “unavailable”, are not allowed.
      Display Name

      Optional - You can enter the display name in Excel using either format: first last or last, first. If you are editing the CSV file, use quotes if you specify the last name first (for example, "last, first").

      This field is optional, but highly recommended.
      Description Optional - A description of the user account. Do not use punctuation. The limit is 128 characters.

      Office Number

      Mobile number

      Home number

      Optional - You must enter the area code. You can enter domestic U.S. numbers in the following forms:

      • 1234567890

      • 123-456-7890

      To enter an international number, use E.164 number formatting. If you use the phone or text message options for multi-factor authentication, the Office and/or Mobile numbers must be accurate. If the numbers are not accurate, the user cannot log in.
      Groups Optional - All accounts are automatically added to the Everybody role. You can specify multiple groups. Use commas to separate the groups. If you are editing the CSV file, surround the groups with quotes; for example, "group1,group2,group3". The group must already exist, and the names are case-sensitive.
      Expiration Date Optional - Enter a date when the account expires. If you do not set a date, the account does not expire. This field is not in the CSV template.
      Password Optional - Sets the password for the user. Password requirements are based on the password policy settings in Access > Identity Policies > [User] > User security > Password settings.
      Require Password Change

      Optional - Specifies whether users must change the password upon the first successful login. The supported inputs are: 

      False, f, no, n -- No password change required

      True, t, yes, y -- Password change required
      Platform User Membership Type

      Optional - By default, the membership type is Employee. If you are adding vendors, be sure to change the membership type to Vendor.

      Reports to Optional - Name of the reporting manager. This field is not in the CSV template.


  6. After updating the CSV template, return to the platform to upload the CSV file. Follow the same steps as before if you have exited from the Import Users flow. The file to upload must be: in CSV format, with a max size of 100 KB.

  7. Proceed by clicking Next .

  8. Review the first 15 records displayed in the preview. Use this opportunity to ensure that the entries are correctly formatted.

  9. Once reviewed, click Next to proceed.

  10. By default, the option Send email invite for user profile setup will be selected. If you wish to proceed with this option, the user will automatically receive an email invite to log into the platform. They will be prompted to change their password immediately upon login.

  11. Finally, click the Import button to initiate the import of the user accounts

The user import process operates asynchronously and the duration of completion depends on the number of users being added. Following the import, two email messages will be dispatched:

  • Bulk import report: Sent to the initiating Admin, this email provides details on the number of new users specified in the file and the successful additions. Additionally, explanations are given for any failed user import.

  • Platform Invite: Sent to each newly created user account if the "Send email invite for user profile setup" option was chosen. This email contains a platform link that directs users to the platform portal, where they can set up a new password unless configured otherwise.