Unlimited Vault Access

Overview

The legacy name of unlimited vault access is unlimited administration mode.

Unlimited vault access (UVA) is a feature designed to allow an administrator access to all secrets and folders in their Secret Server instance without explicit permission. This can be used in the instance a company has an emergency where access to a secret is needed when no users who have permission are available. Alternately, it can be used when company policies require administrators to have access to all information in the system.

A user with unlimited vault access in Secret Server has extensive capabilities, including access to all secrets and folders even without explicit permission. Here are some of the key capabilities and associated risks:

Capabilities and Risks

UVA is a double-edged sword and must be carefully managed:

Capabilities

Users with UVA have:

  • Complete Control: Access to all administrative features without restriction.

  • Access to All Secrets: Access to all secrets and folders.

  • Audit and Reporting: UVA users can generate and view over 90 out-of-the-box reports to monitor privileged access and ensure proper password hygiene.

  • Break-the-Glass Capability: This feature is part of the disaster recovery capabilities, allowing emergency access to secrets in critical situations.

  • Secret Checkout Override: UVA users can access secrets even when they are checked out by another user, ensuring accountability and traceability of secret usage.

  • Bypass SAML: Users with the UVA role will effectively inherit the bypass SAML role permission and be able to bypass the SAML login process.

Risks and Mitigation

Risks

UVA exposes Secret Server to:

  • Potential for Abuse: With the ability to access all secrets, there is a risk that a user with UVA could misuse their privileges, intentionally or accidentally.

  • Security Gaps: Without proper monitoring and auditing, the extensive access granted to UVA user could be exploited by bad actors if the administrator's credentials are compromised.

  • Insider Threats: A UVA user could potentially become an insider threat if they decide to act maliciously or if their account is taken over by an external attacker.

Mitigation

To mitigate these risks, it is crucial to have robust monitoring, auditing, and alerting mechanisms in place. Secret Server provides features such as automatic email alerts for UVA access, detailed audit trails, and the ability to require dual control for certain actions to enhance security.

A user with the UVA role permission can view and edit all secrets in the system, regardless of Delinea permissions—if and only if UVA is enabled in the configuration settings—but the UVA role does not have permission to enable UVA. To enable it, the "administer configuration unlimited vault access" role permission is required. This provides dual control, ensuring no single user can enable UVA mode. Of course, you can bypass this safeguard by simply assigning both roles to the same user.

The UVA role permission is assigned to the "administrator" role by default.
A banner alert, visible to all users, displays at the top of the Secret View page when UVA mode is enabled.
The "administer configuration unlimited vault access" role was formerly called "administer unlimited admin configuration."

Enabling UVA Mode

  1. Ensure you have the "administer configuration unlimited vault access" role permission.

  2. Navigate to Admin > Unlimited admin. The Unlimited Vault Access page appears.

  3. Click the Edit button.

  4. Check to select Enable unlimited vault access.

  5. If prompted, add the details in the Enter any additional notes or explanations for the configuration switch field.

  6. Click Save.

We recommend administrators have specific Delinea permissions to folders and secrets and this mode is only used temporarily to assign the correct permissions.
Changes to the UVA mode are logged in an audit grid. The grid shows the user, time of the change, and any notes made by the user.