Managing Users

Click Access from the left navigation menu, then select Users. From the Users page, you can see all users on the platform in one place, including Active Directory, Federated, and local (Delinea Directory) users.

Click a specific User Name to open that user’s account page, where you can view all information about that user and edit some of the user settings including the user's group memberships, roles, policies, and attributes.

Overview tab

The individual user page opens by default to the Overview tab.


The top of the Overview tab displays the user account’s basic information about their status, directory source, creation date, last login, and last password change.

User Overview Status

Status

The following table provides descriptions of each status that can apply to a user.

Status Description
Active The user has logged in to the Delinea Platform.
Invited An administrator has sent an invitation to a user, but the user has not accepted and logged in yet. You can send an invitation when you create a local account or after the user is created. When the user accepts the invite, the user will be prompted to reset their password before they are able to log in to the platform.
Created The account was created on the platform, but no email invitations have been sent. Successfully provisioned users appear on the Users page with a status of Created.
Suspended

The user account is locked. There are several reasons why an account is locked; for example, it could be locked by the system administrator, or because the user has reached the maximum number of login attempts.

Users can be automatically suspended due to multiple concurrent password failures. In that case:

  • Users are auto-suspended for a duration of 30 minutes

  • Default Admin account (cloudadmin@< tenant >) can also be suspended for the same reason; however, the auto-suspension only lasts 5 minutes.

  • Continuing with the wrong password will extend the suspension.

Auto suspension will end after the user logs in successfully.

The Users tab continues to show the Suspended status until the user logs in successfully.

Delete

At the top right of the Overview tab, click Delete to delete the user account from the platform. The user will no longer be listed on the Users page and can no longer log in to the platform. For Active Directory user accounts, the deleted account is no longer be listed on the Users page but you must use Active Directory Users and Computers to delete the Active Directory account.

Actions

At the top right of the Overview tab, click the Actions drop-down to access quick actions.
User Actions Drop-down

The following table describes the available user actions.

Action Description
Set password Prompts you to reset the user's account password. In the window that appears, enter a new password for the user.
Send email invitation Sends an email to the selected user. As part of this workflow, the user is required to change their password the next time they log in.
MFA unlock Suspends multi-factor authentication for 10 minutes. Multi-factor authentication requires users to perform additional steps, such as verifying their identity by email or phone call, to log in to the Delinea Platform. If the user is having trouble logging in, select the user and select this action to let the user log in with just a login name and password.
Disable account Disable a user account. The disabled user is unable to log in to the platform. If the user is currently logged on, the user will not be able to access platform services that require authentication.
Unlock account When a user account is locked temporarily or permanently, usually triggered by specific policies or conditions, this action enables an Admin to unlock the account immediately. This action is only available when an account is locked.
Reload Rights Updates the user's rights immediately to put into effect any changes you have made to the account. For example, you can use this action when you add the user to a new role or change the user's administrative privileges. Use this action immediately after modifying the user's role or rights.

Account

In the Account section, click Edit to modify the attributes described in the following table.

Edit Account Attributes

Field Description
Login Name The login name used to log in to the platform. Users log in with <Login Name>@<domain>. For example, jsmith@acme or jsmith@acme.com.
Email Address The email address for the user.
Display Name The name visible to users once they are logged in to the tenant.

Advanced Settings

In this section, administrators can set the user's membership type to Employee or Vendor.

Status

In the Status section, click Edit to select an account status as described in the following table.

Edit User Status

Action Description
Locked Locks the user's account. When locked, users are prevented further access to Delinea Platform services, but they are not locked out entirely in their directory service. This setting can be enabled either manually or automatically through an identity policy. To configure the policy, navigate to the applicable policy and under Password Setting, set Maximum consecutive bad password attempts allowed.
Note: The default admin account (cloud@< tenant >) cannot be manually locked. For this account, the option is unavailable.
Password never expires Overrides the default "Maximum password age" identity policy setting. Regardless of the "Maximum password age" setting, the password for this account never expires.
Note: This setting and the "Require password change at next login" setting are interdependent. If you select one, the other is reset.
Require password change at next login Forces users to create a new password the next time they log in. The user is subject to any password reset policy controls and settings you have enabled. This setting is reset as soon as the user logs in and creates a new password.
Note: This setting and the "Password never expires" setting are interdependent. If you select one, the other is reset.
Is Service User Select this option for service users - non-interactive users. These users will not belong to the Everybody role.

Secret Server details

The following user types are available:

  • Hybrid users have direct access to both the Delinea Platform and Secret Server. Passwords are not synchronized between the platform and Secret Server. Users must reset their passwords independently in platform and/or Secret Server.

  • Native users can only log in through the platform, but not through Secret Server. They cannot authenticate directly with Secret Server.

  • None means that the user is a Secret Server user only, and is not associated with a platform account.

Groups tab

An administrator can manage group membership for users two ways: from the Groups view or from an individual User view. See Group Management for more information.

  1. Click the Groups tab to see a list of groups a user belongs to.


  2. To add a user to a group, click Assign To Groups.

  3. Select one or more groups.

  4. Click Add to add the user to the groups selected.

    Add User to Groups

  5. To remove a user from a group, hover your cursor in the group row, near the right end of the Name column, and click the trash icon that appears.

    The Everybody group cannot be removed if a user is not a service user.

    Remove USer from a Group

Roles tab

  1. Click the Roles tab, which displays the roles the user has been assigned to.

  2. Click Edit to add or remove role assignments for the user. For more detailed information about managing user roles, see Roles and Permissions.

MFA Redirection tab

Multi-Factor Authentication (MFA) redirection enables users to perform MFA on behalf of any chosen user. This means the user that is logging in can be configured to perform MFA as the redirect user and receive an identity token for the original login user after they successfully login. Once configured, the MFA redirection is handled automatically.

To explain how redirection works, consider the following two users:

  • Original login user: The user who is actively trying to log in.
  • Redirect user: The user who has MFA set up. Login attempts are redirected to this user to answer any MFA challenges.

The redirect user performs MFA on behalf of the original login user. Any MFA mechanism that is used, such as email, text, Mobile Authenticator, and so on, is completed by the redirect user. The procedure is as follows:

  1. The original user attempts to log in with their username.
  2. The details for the original login user are retrieved from the Delinea Platform.
  3. The original login user receives MFA challenges for the redirect user's account.
  4. When authentication is successful, an identity token/cookie is provided to the original login user.

Typical MFA Redirection Use Cases

MFA redirection is typically used when the original login user has no attributes configured, and therefore cannot satisfy any MFA challenge. When the original login user is challenged for additional authentication, the MFA redirection feature can be configured so the redirect user's MFA challenges (who has the required mechanisms configured) are used for the original login user to answer.

Configure MFA Redirection

  1. Click the MFA Redirection tab. This tab indicates whether MFA redirection is enabled, and if so, the name of the redirect account.

    Configure MFA Redirection

  2. Click Edit.

  3. Select the Enable redirect of Multi-Factor Authentication to a different user account checkbox.

  4. Click Select and select the account you want to use for the MFA redirection.

    If you select the same user you're currently editing, an error occurs: Cannot redirect MFA to the same user.

  5. Click Save.

Additional Attributes

The Delinea Platform provides default user attributes, but you can add user attributes with custom values for Active Directory and Delinea Directory users. These added attributes can be useful as valid targets of MFA; for example, as an alternate email or phone number. The added attributes are stored on the Delinea Platform only. They are not copied to Active Directory.

Add attributes tab

To make attributes available for login authentication rules and SAML user authentication, you must first add them to the user table.

  1. Click Settings from the left navigation menu, then select User attributes.

  2. Click the Additional attributes tab.

  3. Click Add Attributes.

    User Additional Attributes

  4. Enter a name for the attribute. The name may contain only letters, numbers, and underscores. It must start with a letter, and must include at least one underscore. For example:

    employee_status

  5. In Type, select the attribute type from the dropdown list.

    Select Attribute Type

    Type Description
    Number Allow whole numbers
    Number (decimal) Allow numbers with decimals
    Text Allow any string
    True/False Provides a dropdown list for the attribute value
    Date Time Provides a date and time picker for the attribute value

  6. Enter a Description (optionally) for the attribute.

  7. Click Save.

Activity tab

Click the Activity tab.

Activity Tab

The Activity tab lists each of the user's activities (events) on the platform, including the following:

  • Login
  • Logout
  • Security Question Set
  • Password Change
  • Password Change Failed
  • AD Password Change
  • AD Password Change Failed

For each activity, the following information is displayed: 

  • Date/Time
  • Event name
  • Status (Success or Failed)
  • Browser
  • IP Address
  • Operating System

Policy Summary

The Policy Summary tab displays all information about existing policies currently associated with a specific user, as shown in the following image. The page does not provide editing capabilities, because all of these policies are managed elsewhere.

Policy Summary

Secret Server Settings tab

The Secret Server Settings tab displays the user's settings for Secret Server.

Click Edit next to IP address restrictions to add, remove, or modify the user's IP restrictions

Click Edit next to Teams to add, remove, or modify the user's teams.