Sharing Secrets
Sharing passwords is crucial for information technology teams. Due to the sensitive nature of sharing secure information, Secret Server ensures shared passwords are tracked and guarded.
Permissions
There are four permission levels to choose from when sharing secrets with another user or group:
- View: the user may see all secret data, such as username and password, as well as metadata, such as permissions, auditing, history, and security settings.
- Edit: the user may edit the secret data. This also allows users to move the secret to another folder unless the Inherit Permissions from Folder setting is turned on, in which case the user needs Owner permissions to move the secret.
- List: the user may see the secret in a list, such as a list returned by running a search, but won't be able to view any other details about the secret nor edit it.
- Owner: the user may change all of the secret's metadata.
Secrets can be shared with either groups or individual users. The secret Sharing section allows secrets to be configured for access.
Password Visibility
Password visibility in the password text-field depends on secret access permission, role permissions, and secret security policy settings. The following table shows the possible combinations and their password visibility result.
Table: Password Visibility Determinants
Secret Access Permission | View Launcher Password Role Permission | Hide Launcher Password Policy Setting | Password Visible |
---|---|---|---|
Owner | No | On | Yes |
Owner | Yes | On | Yes |
Owner | Yes | Off | Yes |
Owner | No | Off | Yes |
Edit | Yes | On | Yes |
Edit | No | On | Yes |
Edit | Yes | Off | Yes |
Edit | No | Off | Yes |
View | Yes | On | No |
View | No | On | No |
View | No | Off | No |
View | Yes | Off | Yes |
List | Yes | On | No |
List | No | On | No |
List | Yes | Off | No |
List | No | Off | No |
Procedure
To add or remove secret sharing:
-
View the secret you want to share. The secret's page appears on the Overview tab.
-
Click the Sharing tab.
-
Click the Edit link. The page becomes editable.
-
Ensure the Inherit permissions checkbox is deselected so that editing is possible.
-
Enable the Add from External Directory toggle. The Member Type and External Directory Source filter dropdowns appear.
-
Change the Scope dropdown setting to All to view all users and groups, assigned and unassigned alike.
-
Click the Member Type dropdown list to limit the scope of your search.
-
Click the Directory Source dropdown list to limit the scope of your search.
-
Type into the search text box any user, group name or keyword in their title that whom you want to add to the assigned list or alternatively remove from the assigned list for the secret.
-
When the user or group appears in the dropdown list, select it, grant it one of the four permissions, and Save. The user or group appears in the Shared with list in the Sharing tab automatically.
-
Click Save to apply all pending changes, or click Cancel to reverse any changes.
-
Repeat the process for additional users or groups.
You can also modify sharing settings for users or groups that already have sharing enabled for the secret. If a user or group is not displayed, they do not have access to the secret.
Troubleshooting
When a user cannot see users/groups to share secrets with, despite having been granted all necessary permissions, ensure you haven't customized their permissions outside of the built-in roles. Verify if the user is part of a Secret Server Team, and if so, they need the Unrestricted By Teams permission to view users/groups. See User Teams for further details.