Terminology

Throughout this topic, certain terms are used to refer to specific features or concepts within Secret Server. Some of these terms correspond to explicit roles defined within Secret Server that may be referenced, while others are broader terms that system administrators should be familiar with.

Administrator

Access to all the features within Secret Server can be granted to users by creating and assigning different roles. Administrator is one of the default roles that comes installed with Secret Server. By default, this role contains all role permissions, but it can be customized as well. In this guide, when it is used in the context of a Secret Server user, it is referring to the users who generally have most permissions and manage the system. Administrators have control over the global security and configuration settings.

Administrators in Secret Server do not automatically have access to all data stored in the system—access to data is still controlled by explicit permissions on that data.

Basic User Role

The basic user role is a default role that comes installed with Secret Server. This role is a slimmed down version of the user role and primarily focuses on creating and modifying secrets, as well as limited "view" permissions. Users that have this role assigned to them also have their own personal folder.

Folder

A folder in Secret Server provides a hierarchical structure for organizing secrets. Some folders contain no secrets at all and may be used only to set permissions or policies on subfolders. Other folders may simply be a way to organize sub-folders that contain secrets. Folders are organized based on a "root" level folder structure, where "/" is the root level folder and any new folder created will be placed under that folder. Personal folders are unique and are created for each user, providing them the "personal folders" permission. Personal folders can contain sub-folders for the owner to organize their secrets.

Role Based Access Control (RBAC)

Secret Server role based access control (RBAC) is a mechanism that restricts system access to authorized users and defines what type of access a user has within the system. Often these roles correspond to features within the product and those features may give users greater privileges to make changes within the system. RBAC is a core Secret Server feature.

Secret

A secret is any sensitive piece of information (typically a password) that you would like to manage within Secret Server. Typical secrets include (but are not limited to) privileged passwords on routers, servers, applications, and devices. Files can also be stored in secrets allowing for storage of private key files, SSL certificates, license keys, network documentation, or even a Microsoft Word or Excel document.

Site

A site is a logical work container that can tell Secret Server which distributed engines should manage work associated with specific tasks. Sites are critical to ensuring that Secret Server can manage remote network segments, alternate locations, or even DMZs. By default, Secret Server comes with the "local" site. That site is unique as it is the only site that can be configured for "web processing" or "engine processing." When the local site is configured for Web processing, the Web servers themselves act as distributed engines and are responsible for all engine work processing, in addition to the Web Server role specific work that they may be configured for. Any additional sites that are user created may only be configured for Engine processing. The "Local" site comes with two free engines under any licensing model that may be used. Any additional sites and engines must be licensed separately and will incur additional licensing costs.

If you are experiencing an issue with Local Site configured for web processing, Delinea recommends moving to DE processing for optimal performance and correct functional problems.

User

This is the default role for new users that are added to Secret Server. By default, this role contains several permissions that enable new users to interact with Secret Server. Many of these permissions are centered around creating and modifying secrets, as well as several "view" permissions to access audit information. Additionally, access to advanced secret options, assigning secret policies, and a few other advanced permissions are assigned to this role. It also gives each user their own personal folder that is accessible only by each individual user added to the system. Besides the owner, only the "Unlimited Vault Access" role can access these folders.

Know Your Edition

As you read through this guide, some features may be referenced that are only available in certain editions of Secret Server. To get an idea of what's available, you can reference the Secret Server On-Premises Features by Version.