Sharing Secrets

This topic applies to Secret Server On-Premises, standalone Secret Server Cloud, and Delinea Platform.

Sharing passwords is crucial for information technology teams. Due to the sensitive nature of sharing secure information, Secret Server ensures shared passwords are tracked and guarded.

Permissions

There are four permission levels to choose from when sharing secrets with another user or group:

  • View: the user may see all secret data, such as username and password, as well as metadata, such as permissions, auditing, history, and security settings.
  • Edit: the user may edit the secret data. This also allows users to move the secret to another folder unless the Inherit Permissions from Folder setting is turned on, in which case the user needs Owner permissions to move the secret.
  • List: the user may see the secret in a list, such as a list returned by running a search, but won't be able to view any other details about the secret nor edit it.
  • Owner: the user may change all of the secret's metadata.
Password text-entry fields are not visible if a secret has a launcher and the Hide Launcher Password setting is on, or if the user does not have the View Launcher Password role permission. See the table below for more details.

Secrets can be shared with either groups or individual users. The secret Sharing section allows secrets to be configured for access.

Password Visibility

Password visibility in the password text-field depends on secret access permission, role permissions, and secret security policy settings. The following table shows the possible combinations and their password visibility result.

Table: Password Visibility Determinants

Secret Access Permission View Launcher Password Role Permission Hide Launcher Password Policy Setting Password Visible
Owner No On Yes
Owner Yes On Yes
Owner Yes Off Yes
Owner No Off Yes
Edit Yes On Yes
Edit No On Yes
Edit Yes Off Yes
Edit No Off Yes
View Yes On No
View No On No
View No Off No
View Yes Off Yes
List Yes On No
List No On No
List Yes Off No
List No Off No

Procedure

To simplify the sharing process, new secrets automatically inherit the settings from the folder they are stored in. That is, the Inherit Permissions from Folder checkbox on the Sharing Edit page is enabled by default. Given that, secrets inherit all the parent folders' sharing settings, and you cannot set the permissions for the secret. Deselect this option to add or remove users/groups you wish to share the secret with. For more on folder security, see the Folders section.
If your configuration is integrated with Delinea Platform and not restricted by teams, as well as having the Administer Platform Integration or the Add from External Directory permissions, you will see the Add from External Directory toggle. Enable that toggle to search directories connected via Delinea Platform and add new users or groups when sharing secret permissions.

To add or remove secret sharing:

  1. View the secret you want to share. The secret's page appears on the Overview tab.

  2. Click the Sharing tab.

  3. Click the Edit link. The page becomes editable.

  4. Ensure the Inherit permissions checkbox is deselected so that editing is possible.

  5. Enable the Add from External Directory toggle. The Member Type and External Directory Source filter dropdowns appear.

  6. Change the Scope dropdown setting to All to view all users and groups, assigned and unassigned alike.

  7. Click the Member Type dropdown list to limit the scope of your search.

  8. Click the Directory Source dropdown list to limit the scope of your search.

  9. Type into the search text box any user, group name or keyword in their title that whom you want to add to the assigned list or alternatively remove from the assigned list for the secret.

  10. When the user or group appears in the dropdown list, select it, grant it one of the four permissions, and Save. The user or group appears in the Shared with list in the Sharing tab automatically.

  11. Click Save to apply all pending changes, or click Cancel to reverse any changes.

  12. Repeat the process for additional users or groups.

You can also modify sharing settings for users or groups that already have sharing enabled for the secret. If a user or group is not displayed, they do not have access to the secret.

The Add from external directory toggle searches all identity sources configured in Delinea Platform and allows creation of those users and groups in secret-server.

Troubleshooting

When a user cannot see users/groups to share secrets with, despite having been granted all necessary permissions, ensure you haven't customized their permissions outside of the built-in roles. Verify if the user is part of a Secret Server Team, and if so, they need the Unrestricted By Teams permission to view users/groups. See User Teams for further details.