Sharing Secrets
Sharing passwords is crucial for information technology teams. Due to the sensitive nature of sharing secure information, Secret Server ensures shared passwords are tracked and guarded.
Permissions
There are four permission levels to choose from when sharing secrets with another user or group:
- View: the user may see all secret data, such as username and password, as well as metadata, such as permissions, auditing, history, and security settings.
- Edit: the user may edit the secret data. This also allows users to move the secret to another folder unless the Inherit Permissions from Folder setting is turned on, in which case the user needs Owner permissions to move the secret.
- List: the user may see the secret in a list, such as a list returned by running a search, but won't be able to view any other details about the secret nor edit it.
- Owner: the user may change all of the secret's metadata.
Secrets can be shared with either groups or individual users. The secret Sharing section allows secrets to be configured for access.
Password Visibility
Password visibility in the password text-field depends on secret access permission, role permissions, and secret security policy settings. The following table shows the possible combinations and their password visibility result.
Table: Password Visibility Determinants
| Secret Access Permission | View Launcher Password Role Permission | Hide Launcher Password Policy Setting | Password Visible |
|---|---|---|---|
| Owner | No | On | Yes |
| Owner | Yes | On | Yes |
| Owner | Yes | Off | Yes |
| Owner | No | Off | Yes |
| Edit | Yes | On | Yes |
| Edit | No | On | Yes |
| Edit | Yes | Off | Yes |
| Edit | No | Off | Yes |
| View | Yes | On | No |
| View | No | On | No |
| View | No | Off | No |
| View | Yes | Off | Yes |
| List | Yes | On | No |
| List | No | On | No |
| List | Yes | Off | No |
| List | No | Off | No |
Procedure
To simplify the sharing process, new secrets automatically inherit the settings from the folder they are stored in. That is, we enable the Inherit Permissions from Folder check-box on the Sharing Edit page by default, so secrets inherit all the parent folders' sharing settings. As long as this check box is selected, you cannot set the permissions for the secret, so you must deselect this option to add or remove users/groups you wish to share the secret with. For more on folder security, see the Folders section.
To add or remove secret sharing, do the following:
-
View the secret you want to share.
-
Click the Sharing tab:
-
Click the Edit link. The page becomes editable:
Make sure the Inherit permissions checkbox is deselected so that editing is possible.
-
Change the Scope dropdown setting to All to view all users and groups, assigned and unassigned alike.
-
Type into the search text box any user, group name or keyword in their title, whom you want to add to the assigned list, or alternatively remove from the assigned list for the secret.
-
When the user or group appears in the dropdown list, select it, grant it one of the four permissions, and Save. The user or group appears in the Shared with list in the Sharing tab automatically.
Clicking Cancel will undo any changes and clicking save will apply all pending changes. -
Repeat the process for additional users or groups.
You can also modify sharing settings for users or groups that already have sharing enabled for the secret. If a user or group is not displayed, they do not have access to the secret.
Troubleshooting
When a user cannot see users/groups to share secrets with, despite having been granted all necessary permissions, ensure you haven't customized their permissions outside of the built-in roles. Verify if the user is part of a Secret Server Team, and if so, they need the Unrestricted By Teams permission to view users/groups. See User Teams for further details.
