Delinea Authorization Powered by Iris AI

This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.

Delinea Authorization powered by Iris AI (Iris Authorization) is an AI-powered access-approval agent that automates Secret Server approval workflows, streamlining the process and reducing the risk of unauthorized access while enhancing compliance with existing security policies.

Iris Authorization evaluates each access request based on:

  • the requester’s identity

  • the requester’s stated intent

  • contextual risk signals

  • historical patterns

  • your organization’s policies

Iris Authorization vs. Manual Approval

Traditional manual access approvals can be time-consuming for both administrators and users, are prone to human error, and may not adequately assess the risk associated with each request.

Iris Authorization addresses these challenges with automation based on comprehensive data, enhancing security and efficiency while still enabling human administrators to analyze approvals and intervene as necessary.

Most importantly, Iris Authorization will not grant additional access beyond what is requested. In addition, administrators are able to give feedback on past approvals, allowing Iris Authorization to learn and adapt over time to improve its decision-making capabilities.

Recommendation vs. Automated Decision

Iris Authorization operates in two primary modes: recommendation only and automated decision.

Mode Behavior
Decide Iris Authorization automatically approves or denies the request
Recommend Iris Authorization only recommends an action; a human still approves/denies

In the recommendation mode, Iris Authorization provides suggestions to a human approver (who receives the request and suggestion in the Inbox).

In the automated decision mode, Iris Authorization can approve or deny requests based on predefined criteria.

The process flows like this:

  1. Request Submission: A user submits an access request, including a ticket number and justification (unless you modify the instructions to exclude these requirements).

  2. Risk Assessment: Iris Authorization evaluates the requestor's risk score, location, business hours, and other contextual signals.

  3. Ticket Verification: Iris Authorization retrieves and analyzes the content of the associated ticket (from systems like Zendesk or ServiceNow).

  4. Decision Making: Based on the analysis, Iris Authorization either denies the request or recommends approval to a human approver.

  5. Feedback Loop: Administrators can provide feedback on Iris Authorization's decisions, which is used to improve the system's accuracy over time.

Decision Factors

When Iris Authorization evaluates an access request, it considers the following (non-exhaustive) checks:

  • Ticket number – Matches the ITSM ticket (e.g., Zendesk) with the access request

  • Ticket justification – Request reason must align with ticket description

  • Ticket creator – Different from the user who submitted the access request

  • Request justification – Denied if missing, insufficient, or unrelated

  • User risk score – Critical/high-risk users require stricter scrutiny

  • User attributes:

    • Day of week (requests on weekends are flagged)

    • Working hours vs. off-hours

    • Login location anomalies

    • MFA status (denied if 2FA is absent)

Configuring Iris Authorization

Iris Authorization must be enabled initially, and then configured with a service user, a profile (which provides the service user with guidance on approval logic), and a Secret Server workflow (workflows can involve multiple approvers, including humans and non-humans).

You can create multiple service users, each with their own workflow, but each service user should have only one profile.

Enable Iris Authorization

  1. Navigate to the Iris Authorization page.

  2. Select Edit.

  3. Change the State switch to Enabled.

  4. Accept the AI usage agreement.

Create a service user

  1. Navigate to the Users page.

  2. Expand the More dropdown list and select the Add service user option. The Add service user pane opens.

  3. Complete the mandatory fields. and select Next. The Add service user to groups pane appears.

  4. Assign the service user to a group with roles that have administrator-level Platform permissions. (It is a best practice to keep your service users in a distinct Platform group from real users.)

Create a Profile with Authorization Instruction

  1. From the Iris Authorization page, select the Profiles tab.

  2. Select Add profile. The Profile pane appears.

  3. Choose a name for the profile.

  4. Select Recommend or Decide.

  5. Choose an option from the Authorization instruction dropdown. The full instruction appears in the field below it.

  6. You may edit the instruction text to guide how Iris Authorization will review access requests. Iris Authorization comes with three customizable prompt templates that define how access requests should be evaluated:

    • Check Creator: verifies that the user creating the access request is not the same as the system referenced in the ticket (e.g., Zendesk). This prevents users from creating their own tickets to justify access.

    • Check Location: checks whether the requester's location is unusual or inconsistent with expected behavior.

    • Ignore Ticket: skips validation of the reference ticket and does not use it as part of the access decision.

  7. Choose a previously-created service user from the Username dropdown.

  8. Paste the service user’s password in the Password field.

  9. Select Save.

  10. Select Check Permissions.

  11. If a “Permissions check failed” notice appears, select Show details to see which permissions must be granted to the service user. See Platform Permissions.

Assign the Service User to a Workflow

Once the Profile is created and the service user has sufficient permissions, the service user must be assigned to a workflow. You may add it to an existing workflow, or create a new one.

NOTE: If you want the service user to “Recommend” only, do not place it in the final step of the workflow, since a positive recommendation there actually approves access.

See Accessing the Workflow Designer in Secret Server for workflow creation and editing.

Integrating with your eTicket System

Integration with Zendesk or ServiceNow supplies Iris Authorization with ticket context (e.g., confirming that a database bug-fix ticket exists for the request).

NOTE: If you do not use a ticket system, you must edit the authorization instructions in the profile to remove mention of tickets.

ZenDesk Integration

To connect to Zendesk from the Delinea Platform:

  1. Navigate to the Add Connector page.

  2. Select Zendesk and enter the following:

    1. Display Name

    2. Base Address

    3. API Key

    4. Email (API user)

  3. Click Save.

ServiceNow Integration

To connect to Zendesk from the Delinea Platform:

  1. Navigate to the Add Connector page.

  2. Select ServiceNow and enter the following:

    1. Display Name

    2. Base Address

    3. API Key

    4. Email (API user)

  3. Click Save.

Viewing Access Requests

To view access requests handled by Iris Authorization, navigate to the Access Requests page. (NOTE: this is not the same as the Secret Access Requests page)

The columns show:

  • request details

  • the Iris Authorization profile used

  • the outcome: Approved, Denied, or Recommended (if the profile is in Recommend mode)

To view additional data about a specific access request, click its row in the table. Data include:

  • requestor account

  • data and time

  • requestor comment

  • Iris Authorization’s reasoning for its recommendation or decision

The final column, Feedback, lets you to rate Iris Authorization’s decisions.

  • Thumbs up – Indicates the decision was appropriate

  • Flag – Indicates the decision or its reasoning was incorrect or needs improvement

This feedback is collected by our AI operations backend to continuously improve Iris Authorization’s accuracy.

Validating your Configuration

Delinea strongly suggests testing each new profile in a variety of scenarios with low-risk secrets. You may need to adjust the authorization instructions for optimal results.

Iris Authorization Safety Statement

Human-AI Oversight Requirement

Delinea Authorization powered by Iris AI (Iris Authorization) is designed to augment your skilled oversight – not to replace it. Iris Authorization can be set either to alert you or to take pre-specified actions. This automation still requires a “human on the loop” for customer oversight, audit and feedback, to ensure accuracy and to optimize results over time. AI models are probabilistic in nature, meaning they can inherently produce outputs that are inaccurate or incomplete. You and your end users bear responsibility for any decisions, recommendations, actions, or inactions that arise from utilizing Delinea Authorization powered by Iris AI.

Data Privacy and Processing

Delinea Authorization powered by Iris AI uses the Azure OpenAI service provided by Microsoft. Key data handling and privacy features include the following:

  • Regional Data Hosting: Your tenant data is hosted and processed within the same region that you have selected for your cloud operation, ensuring compliance with regional data handling regulations. Any feedback that you send to Delinea ("debugging data") can be stored in other regions (see Data Included in Feedback to Delinea below).

Due to local data hosting requirements, Iris AI (Delinea Authorization Powered by Iris AI and Delinea Auditing Powered by Iris AI) is not available in the United Arab Emirates.

  • Data Deletion After Processing: When Azure OpenAI finishes processing data from a Delinea Platform access request, the data is immediately deleted from Azure and not retained by Microsoft. This ensures that evaluation data is handled securely and transiently.
  • No AI Training with Customer Data: Delinea Authorization powered by Iris AI does not and will not use customer recordings or data to train AI models unless we obtain your specific prior written authorization to do so.
  • Data Included in Feedback to Delinea: When a user flags an Iris Authorization recommendation or decision, the specific data involved (their feedback explanation, the original access request, and the contextual risk data for that request) will become visible to Delinea engineers for troubleshooting analysis and resolution only.

Enabling the AI Agreement

In addition to enabling the Delinea Authorization powered by Iris AI capability, you must approve the AI Agreement before Iris Authorization can begin reviewing access requests.

To enable Iris Authorization for the first time:

  1. From the left navigation, select Settings > Iris AI > Authorization.

  2. Toggle the Iris Authorization State to Enabled.

  3. Review and approve the Delinea AI Agreement.