Managing Third-Party Contractors and Vendors
Organizations can use membership types in the Delinea Platform to manage user entitlements between limited Vendor User capabilities and full-featured IT User capabilities in Secret Server. The following table shows the differences between these two types of entitlements.
Delinea Platform users are automatically granted IT User entitlements unless their membership type is explicitly set to “Vendor”.
| Capability | Vendor User | IT User |
|---|---|---|
|
View secrets |
✔(Passwords are invisible) | ✔ |
| Launch secrets | ✔ (PRA) | ✔ |
| Request access to secrets | ✔ | ✔ |
| Approve access to secrets | ✔ | |
| Share secrets | ✔ | |
| Create and manage secret and folder lifecycle | ✔ | |
| View secret and user audit logs for owned secrets | ✔ | |
| Use Connection Manager to login to Secret Server | ✔ | |
| Use the Secret Server SDK and API | ✔ | |
| Configure security features for a secret | ✔ | |
| Configure password rotation | ✔ | |
| All administrative functions in Secret Server | ✔ | |
| Create/Manage Integrations, Workflows, Pipelines, Discovery, Sites. Distributed Engines, HA/DR, etc. | ✔ |
Customers who have purchased PRA concurrent user licenses are entitled to Vendor User capabilities out of the box. Learn more about PRA Entitlements and Licenses.
Entitlements are enforced even if a user is granted RBAC permissions for related actions.
Prerequisites
If you are using Secret Server On-Premise with the Delinea Platform, see Manually Integrate Secret Server On Premise for the currently supported version.
Local Users
Customers can use their Delinea Platform local directory to onboard third-party users who need short-term access. Customers can also use the local directory when they do not want to add third-party users to their own identity sources. For details, see Adding a Local User Account.
Bulk Import of Vendors
Delinea Platform provides a bulk import capability for organizations that deal with large numbers of third-party users and need an efficient way to manage access to Secret Server entitlements. To use bulk import, you prepare a file with user data, format it according to the system's requirements, and upload it.
For more detailed information about importing vendors in bulk, see Bulk Import Local Users.
Active Directory
Tenant administrators can manage third-party vendor entitlements through Active Directory. For more information, see Managing Third-Party Vendor Entitlements When Using Active Directory.
Federated Vendors
Tenant administrators must create a custom attribute in the identity provider (IdP) and map it to a PlatformUserMembershipType claim in the Delinea Platform. Claims for users must have a value of either Vendor or Employee.
For more information about managing third parties from a federated identity source using SAML or OIDC, see Federation.
