Managing Users

This page explains how to perform various administrative tasks to manage the user accounts in the Delinea Platform.

View User Accounts

To view a list of user accounts, click Access from the left navigation menu, then select Users. From the Users page, you can see all users on the platform in one place, including Active Directory, Federated, and local (Delinea Directory) users.

Click a specific User Name to open that user’s account page, where you can view all information about that user and edit some of the user settings, including the user's group memberships, roles, policies, and attributes.

The top right of every tab on the user page has a Delete button and an Actions drop-down button.

To delete the user, click Delete.

To take common actions, click the Actions drop-down button.

User Actions Drop-down

The following table describes the available actions.

Action Description
Set password Prompts you to reset the user's account password. In the window that appears, enter a new password for the user.
Send email invitation Sends an email to the selected user. As part of this workflow, the user is required to change their password the next time they log in.
MFA unlock Suspends multi-factor authentication for 10 minutes. Multi-factor authentication requires users to perform additional steps, such as verifying their identity by email or phone call, to log in to the Delinea Platform. If the user is having trouble logging in, select the user and select this action to let the user log in with just a login name and password.
Disable account Disable a user account. The disabled user is unable to log in to the platform. If the user is currently logged in, the user will not be able to access platform services that require authentication.
Unlock account When a user account is locked temporarily or permanently, which is usually triggered by specific policies or conditions, this action enables an administrator to unlock the account immediately. This action is only available when a local user account is locked.
Reload Rights Updates the user's rights immediately to put into effect any changes you have made to the account. For example, you can use this action when you add the user to a new role or change the user's administrative privileges. Use this action immediately after modifying the user's role or rights.

Overview Tab

The individual user page opens by default to the Overview tab.


The top of the Overview tab displays the user account’s basic information, including status, directory source, creation date, last login, and last password change.

User Overview Status

Status

The following table provides descriptions of each status that can apply to a user.

Status Description
Active The user has logged in to the Delinea Platform.
Invited An administrator has sent an invitation to a user, but the user has not accepted and logged in yet. You can send an invitation when you create a local account or after the user is created. When the user accepts the invite, the user will be prompted to reset their password before they are able to log in to the platform.
Created The account was created on the platform, but no email invitations have been sent. Successfully provisioned users appear on the Users page with a status of Created.
Suspended

The user account is locked. There are several reasons why an account is locked; for example, it could be locked by the system administrator or because the user has reached the maximum number of login attempts.

Users can be automatically suspended due to multiple concurrent password failures. In that case:

  • Users are automatically suspended for a duration of 30 minutes.

  • The Default Admin account (cloudadmin@< tenant >) can also be suspended for the same reason; however, the automatic suspension only lasts 5 minutes.

  • If additional login attempts are made with the wrong password, the suspension time is extended.

Automatic suspension ends when the user logs in successfully.

The Users tab continues to show the Suspended status until the user logs in successfully.

Account

In the Account section, click Edit to modify the attribute fields or to upload a profile image.

  • Display name: The name visible to users once they are logged in to the platform.

  • Username: The name used to log in to the platform. Users log in with <Login Name>@<domain>. For example, jsmith@acme or jsmith@acme.com.


Advanced Settings

In this section, administrators can set the user's membership type to Employee or Vendor.

Option Description
Membership type Employee or Vendor
Password never expires Overrides the default "Maximum password age" identity policy setting. Regardless of the "Maximum password age" setting, the password for this account never expires.
Note: This setting and the "Require password change at next login" setting depend on each other. If you select one, the other is reset.
Require password change at next login Forces users to create a new password the next time they log in. The user is subject to any password reset policy controls and settings you have enabled. This setting is reset as soon as the user logs in and creates a new password.
Note: This setting and the "Password never expires" setting depend on each other. If you select one, the other is reset.
Account is disabled The account has been disabled.
Account is locked Locks the user's account. When locked, users are prevented from further access to Delinea Platform services, but they are not locked out entirely in their directory service. This setting can be enabled either manually or automatically through an identity policy. To configure the policy, navigate to the applicable policy. Under Password Setting, set Maximum consecutive bad password attempts allowed.
Note: The Default Admin account (cloudadmin@< tenant >) cannot be manually locked. For this account, the option is unavailable.

Secret Server Details

The following user types are available:

  • Hybrid users have direct access to both the Delinea Platform and Secret Server. Passwords are not synchronized between the platform and Secret Server. Users must reset their passwords independently in platform and Secret Server.

  • Native users can only log in through the platform, but not through Secret Server. They cannot authenticate directly with Secret Server.

  • None means that the user is a Secret Server user only, and is not associated with a platform account.

Groups Tab

An administrator can manage group membership from the individual User view as described here, or from the Groups view. See Group Management and Troubleshooting Federated User and Group Mapping for more information. To map federated user groups to platform groups, see Mapping Federated Groups. Also see Mapping Federated Users.

  1. Click the Groups tab to see a list of groups a user belongs to.


  2. To add a user to a group, click Assign Groups.

  3. Select one or more groups.

  4. Click Add to add the user to the selected groups.

    Add User to Groups

  5. To remove a user from a group, hover your cursor in the group row, near the right end of the Name column, and click the trash icon that appears.

    The Everybody group cannot be removed if a user is not a service user.

    Remove USer from a Group

Roles Tab

  1. Click the Roles tab, which displays the roles the user has been assigned to.

  2. Click Edit to add or remove role assignments for the user.

It is not considered a best practice to assign a role directly to a user. We strongly recommend assigning a role (with its associated permissions) to a group, then adding the user to the group, at which point the user inherits the role and its permissions by virtue of their membership in the group.

For more detailed information about managing user roles, see Roles and Permissions.

MFA Redirection Tab

Multi-Factor Authentication (MFA) redirection enables users to perform MFA on behalf of any chosen user. This means the user that is logging in can be configured to perform MFA as the redirect user and receive an identity token for the original login user after they successfully log in. Once configured, the MFA redirection is handled automatically.

To explain how redirection works, consider the following two users:

  • Original login user: The user who is actively trying to log in.
  • Redirect user: The user who has MFA set up. Login attempts are redirected to this user to answer any MFA challenges.

The redirect user performs MFA on behalf of the original login user. Any MFA mechanism that is used, such as email, text, Mobile Authenticator, and so on, is completed by the redirect user. The procedure is as follows:

  1. The original user attempts to log in with their username.
  2. The details for the original login user are retrieved from the Delinea Platform.
  3. The original login user receives MFA challenges for the redirect user's account.
  4. When authentication is successful, an identity token/cookie is provided to the original login user.

Typical MFA Redirection Use Cases

MFA redirection is typically used when the original user has no attributes configured, and therefore cannot satisfy any MFA challenge. When the original user is challenged for additional authentication, the MFA redirection feature can be configured so the redirect user's MFA challenges (who has the required mechanisms configured) are used for the original user to answer.

Configure MFA Redirection

  1. Click the MFA Redirection tab. This tab indicates whether MFA redirection is enabled and, if so, the name of the redirect account.

    Configure MFA Redirection

  2. Click Edit.

  3. Select the Enable redirect of Multi-Factor Authentication to a different user account checkbox.

  4. Click Select and select the account you want to use for the MFA redirection.

    If you select the same user you're currently editing, an error occurs: Cannot redirect MFA to the same user.

  5. Click Save.

Additional Attributes Tab

The Delinea Platform provides default user attributes, but you can add user attributes with custom values for Active Directory and Delinea Directory users. These added attributes can be useful as valid targets of MFA; for example, as an alternate email or phone number. The added attributes are stored on the Delinea Platform only. They are not copied to Active Directory.

To make additional attributes available for login authentication rules and SAML user authentication, you must first add them here.

  1. Click the Additional attributes tab.

  2. Click Add Attributes.

    User Additional Attributes

  3. Name: Enter a descriptive name for the attribute. The name can contain only letters, numbers, and underscores. It must start with a letter, and must include at least one underscore. For example: employee_status

  4. Attribute value: Select the attribute value from the dropdown list.

    Select Attribute Type

    Attribute Value Description
    Number Allow whole numbers
    Number (decimal) Allow numbers with decimals
    Text Allow any string
    True/False Display a dropdown list for the attribute value
    Date Time Display a date and time picker for the attribute value

  5. Description: Enter a description for the attribute (optional) .

  6. Click Save.

Activity Tab

The Activity tab lists each of the user's activities (events) on the platform, including the following:

  • Login
  • Logout
  • Security Question Set
  • Password Change
  • Password Change Failed
  • AD Password Change
  • AD Password Change Failed

For each activity, the following information is displayed: 

  • Date/Time
  • Event name
  • Status (Success or Failed)
  • Browser
  • IP Address
  • Operating System

Policy Summary Tab

The Policy Summary tab displays all information about existing policies currently associated with a specific user. The page does not provide editing capabilities, because all of these policies are managed elsewhere.

Policy Summary

Secret Server Settings Tab

The Secret Server Settings tab displays the user's settings for Secret Server.

Click Edit next to IP address restrictions to add, remove, or modify the user's IP restrictions.

Click Edit next to Teams to add, remove, or modify the user's teams.