Managing User Accounts and Groups

To manage users on the Delinea Platform, begin by clicking Access from the left navigation menu, then selecting Users. The Users page displays all users on the platform, including Active Directory, Federated, and Delinea Directory (local) users.

Alt

Click a USERNAME to go to that specific user's page, where you can view and edit settings for the user account, including the user's group memberships, roles, policies, activities, and attributes. For detailed instructions on managing platform users, see Managing User Accounts.

Risk Score

This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.

Risk Score is displayed for each user. Risk is based on the analytics that generate non-resolved alerts and the associated findings. Risk scores are assigned as Low, Medium, and High. Refer to Analytics Findings and Risk.

Risk Level Definition
N/A No risk has been identified for this user. Our monitoring systems have not detected any suspicious behavior or security concerns.
Low Minor security alerts have been triggered for this user. These alerts are typically low concern and may result from legitimate activities, such as accessing resources from an unusual geographic location. No immediate action is required, but continued monitoring is recommended.
Medium Elevated risk indicators have been observed for this user. This may include multiple alerts or behavioral patterns that warrant further investigation. While the situation is not critical, proactive measures, such as enhanced monitoring or verifying the user’s activity, are advised.
High

Significant risk indicators have been detected for this user. Examples include:

For high-risk situations, the following actions are strongly recommended:

External User Accounts vs. Local User Accounts

Virtually every user account on the platform should be an external user account, meaning either an Active Directory account or a federated account.

A local user account is addedClosed Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. directly to the platform by an administrator.
An external user account isn't addedClosed Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. directly to the platform, but becomes accessible on the platform when the associated Active Directory or federation is connected to the platform.
The administrator must still provide permissions to the user to access platform features.

A local user must satisfy local authenticationClosed Authentication is a way for a user to prove that they are still the person they claimed to be during the identification phase by inputting something a person knows, such as a password or security question; something a person has, such as a token, smartcard, ID card, or cryptographic key; or something a person "is," using biometric data such as a fingerprint or facial scan. requirements to logClosed A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the platform.
An external user must only satisfy the authenticationClosed Authentication is a way for a user to prove that they are still the person they claimed to be during the identification phase by inputting something a person knows, such as a password or security question; something a person has, such as a token, smartcard, ID card, or cryptographic key; or something a person "is," using biometric data such as a fingerprint or facial scan. requirements through the external source (ADClosed Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. or federation IdP).

A local user account appears on the Users page (Access > Users) when an administrator adds the account to the platform.
An external user account appears on the Users page only after the user logsClosed A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the platform for the first time.

Avoid Adding Local User Accounts

AddingClosed Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. local user accounts to the platform is not considered a best practice for privileged access management. Local user accounts should be addedClosed Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. only rarely, and for very specific purposes. For example, you might need to add a local user account for someone who needs to try out platform functionality for a very limited time. Vendors are also addedClosed Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. as local accounts. For details, see Adding Local User Accounts.

For related content, see the following: