Managing User Accounts and Groups

To manage users on the Delinea Platform, begin by clicking Access from the left navigation menu, then selecting Users. The Users page displays all users on the platform, including Active Directory, Federated, and Delinea Directory (local) users.

Click a USERNAME to go to that specific user's page, where you can view and edit settings for the user account, including the user's group memberships, roles, policies, activities, and attributes. For detailed instructions on managing platform users, see Managing User Accounts.

Risk Score

This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.

Risk Score is displayed for each user. Risk is based on the analytics that generate non-resolved alerts and the associated findings. Risk scores are assigned as Low, Medium, and High. Refer to Analytics Findings and Risk.

Risk Level	Definition
N/A	No risk has been identified for this user. Our monitoring systems have not detected any suspicious behavior or security concerns.
Low	Minor security alerts have been triggered for this user. These alerts are typically low concern and may result from legitimate activities, such as accessing resources from an unusual geographic location. No immediate action is required, but continued monitoring is recommended.
Medium	Elevated risk indicators have been observed for this user. This may include multiple alerts or behavioral patterns that warrant further investigation. While the situation is not critical, proactive measures, such as enhanced monitoring or verifying the user’s activity, are advised.
High	Significant risk indicators have been detected for this user. Examples include: Multiple suspicious actions on the account An MFA Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to prove their identity using two or more different factors, such as something they know (like a password), something they have (like a phone or security token), or something they are (like a fingerprint or facial scan). Even if a password is compromised, MFA can prevent unauthorized access because the attacker would still need to obtain the additional verification methods. (multi-factor authentication Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to prove their identity using two or more different factors, such as something they know (like a password), something they have (like a phone or security token), or something they are (like a fingerprint or facial scan). Even if a password is compromised, MFA can prevent unauthorized access because the attacker would still need to obtain the additional verification methods.) bombing attempt followed by further anomalous activity For high-risk situations, the following actions are strongly recommended: Enforce a more secure MFA Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to prove their identity using two or more different factors, such as something they know (like a password), something they have (like a phone or security token), or something they are (like a fingerprint or facial scan). Even if a password is compromised, MFA can prevent unauthorized access because the attacker would still need to obtain the additional verification methods. method for the user (e.g., hardware tokens or app-based authentication Authentication is a way for a user to prove that they are still the person they claimed to be during the identification phase by inputting something a person knows, such as a password or security question; something a person has, such as a token, smartcard, ID card, or cryptographic key; or something a person "is," using biometric data such as a fingerprint or facial scan.). Collaborate with the user to identify and mitigate potential risks. Take immediate steps to prevent account takeover attempts.

External User Accounts vs. Local User Accounts

Virtually every user account on the platform should be an external user account, meaning either an Active Directory account or a federated account.

A local user account is added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. directly to the platform by an administrator.
An external user account isn't added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. directly to the platform, but becomes accessible on the platform when the associated Active Directory or federation is connected to the platform.
The administrator must still provide permissions to the user to access platform features.

A local user must satisfy local authentication Authentication is a way for a user to prove that they are still the person they claimed to be during the identification phase by inputting something a person knows, such as a password or security question; something a person has, such as a token, smartcard, ID card, or cryptographic key; or something a person "is," using biometric data such as a fingerprint or facial scan. requirements to log A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the platform.
An external user must only satisfy the authentication Authentication is a way for a user to prove that they are still the person they claimed to be during the identification phase by inputting something a person knows, such as a password or security question; something a person has, such as a token, smartcard, ID card, or cryptographic key; or something a person "is," using biometric data such as a fingerprint or facial scan. requirements through the external source (AD Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. or federation IdP).

A local user account appears on the Users page (Access > Users) when an administrator adds the account to the platform.
An external user account appears on the Users page only after the user logs A record of background events typically related to systems, performance, outages, etc. A log is typically consumed by IT/Ops to help them ensure that things are running optimally and delivered according to the appropriate SLA. in to the platform for the first time.

Avoid Adding Local User Accounts

Adding Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. local user accounts to the platform is not considered a best practice for privileged access management. Local user accounts should be added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. only rarely, and for very specific purposes. For example, you might need to add a local user account for someone who needs to try out platform functionality for a very limited time. Vendors are also added Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory runs on Windows Server and stores information related to user accounts, computer objects, groups, policies, and other entities on the network. as local accounts. For details, see Adding Local User Accounts.

For related content, see the following: