Secret Server Role Permissions List

Overview

Secret Server uses role-based access control (RBAC) to regulate permissions. The roles are assigned to users or groups. A complete list of the permissions available to roles appears below:

To see the built-in roles and what permissions they possess, click the desired role link on the Admin > Roles page.

Adding a jumpbox route to a target secret: A user must have owner permissions on a secret to assign, change, or remove that secret’s jump server route. Additionally, users are only able to pick from a list of routes where they have at least list permission on the first jump route server. Editing Jumpbox Routes: Users must have the “Administer Jumpbox Route” permission to create, edit, or deactivate jump server routes. Users with the “View Jumpbox Route” permission can view the details of all jump server routes in the Admin Jumpbox Route page, but they cannot make any changes.

Complete List

Access Offline Secrets on Mobile

Allows a user to cache their Secrets in the Secret Server mobile application for offline use. This permission does not automatically come with the Administrator role.

Add from External Directory

Add users from external directory. Cloud only.

Add Secret

Allows a user to create new Secrets. The Add permission no longer include the role permission View Secret.

Add Secret Custom Audit

Allows a user to make a custom audit entry when accessing a Secret using the web services API.

Administer Active Directory

Allows a user to view domains, edit existing domains, delete domains, and add new domains. Also allows a user to force synchronization or set the synchronization interval.

Administer Automatic Export

The user can do everything the other automatic export permissions allow and edit the automatic export configuration.

Administer Backup

Allows a user to view and configure automated backups for Secret Server. Users with this role permission can change the backup path, disable backups, and set the backup schedule. On-Premises only.

Administer Configuration

Allows a user to view and edit general configuration options. For example, a user with this role permission can turn on "Force HTTPS/SSL" and disable "Allow Remember Me".

Administer Configuration Proxying

Allows a user to view and edit SSH Proxy settings.

Administer Configuration SAML

Allows a user to view and edit SAML integration settings on the Login tab of Configuration settings.

Administer Configuration Security

Formerly "Administer Security Configuration," allows a user to view and edit security configuration options in Secret Server. Currently, these include enabling FIPS compliance mode and protecting the encryption key.

Administer Configuration Session Recording

Allows a user to view and edit session recording settings on the Session Recording tab of Configuration settings.

Administer Configuration Two Factor

Allows a user to change the configuration settings of the two factor authentication that are available for users logging into Secret Server.

Administer Configuration Unlimited Admin

Formerly "Administer Unlimited Admin Configuration," allows a user to turn on Unlimited Admin Mode. When this mode is enabled, users with the "Unlimited Administrator" role permission can view and edit all Secrets in the system, regardless of permissions. Note that you can assign "Administer Unlimited Admin Configuration" to one user and "Unlimited Administrator" to another user. This would require one user to turn on the mode and another user to view and edit secrets.

Administer ConnectWise Integration

Allows a user to view and edit configuration options for synchronizing with ConnectWise. This can be accessed through the "Folder Synchronization" link on the Administration page. Note that you need at least view access on the sync folder in order to set up or edit the ConnectWise integration.

Administer Create Application Accounts

Formerly "Create Application Account", allows a user to create application user accounts to be used exclusively for accessing Secret Server via the API. This permission allows for creating user accounts without the Administer Users or Administer Create Users permissions.

Administer Create Users

Allows a user to create new local users in Secret Server, but not edit them once created.

Administer Custom Password Requirements

Allows a user to view and edit custom password requirements that can be configured under the Security tab for individual Secrets.

Administer Data Retention

Can manage audit data retention, such as editing and running now. This permission does not automatically come with the Administrator role.

Administer DevOps Secrets Vault Tenants

Add, remove, and edit DSV tenants that automatically synchronize with Secret Server on a schedule.

Administer Disaster Recovery

Allows a user to configure instances as data sources or replicas for Disaster Recovery. Also allows user to initiate or test Data Replication and view related logs and audits.

Administer Discovery

Allows a user to view and import computers and accounts that are found by Discovery.

Administer Distributed Engine Configuration

Allows a user to update the Distributed Engine configuration.

Administer DoubleLock Keys

Allows a user to view, edit, create, and disable DoubleLock and QuantumLock keys. A DoubleLock or QuantumLock key acts as a separate encryption key to protect your most sensitive secrets. This option allows users to access and use the DoubleLocks/QuantumLocks link on the Administration page.

Administer Dual Control

Allows a user to view, edit, create, and disable Dual Control settings for reports and recorded sessions.

Administer Event Subscriptions

Allows a user to view, edit and create event subscriptions.

Administer Export

Allows a user to view the export log. Also allows users to export Secrets to which they have access to a clear text, CSV file.

Administer Folders

Allows a user to view, edit, create, move, and delete folders. Users still need the relevant view, edit, and owner permissions on the folders to perform these tasks.

Administer Groups

Allows a user to view, edit, create, and disable groups. Also allows users to assign users to groups and remove users from groups.

Administer HSM

Allows a user to change configuration or disable the use of a Hardware Security Module (HSM). On-Premise only.

Administer Inbox

Administer notification settings for the inbox.

Administer IP Addresses

Allows a user to create, edit, and delete IP Address Ranges. These ranges are used to restrict certain users to specific IP Addresses.

Administer Jumpbox Route

Allows a user to create, edit, or deactivate jump server routes.

Administer Key Management

Allows a user to enable, change, or disable the Key Management ( Secret Server Cloud only).

Administer Languages

Allows a user to change the default language of Secret Server.

Administer Licenses

Allows a user to view, edit, install, and delete licenses.

Administer Lists

Allows a user to add, remove, and modify lists and list contents in Admin > Lists.

Administer Maintenance Mode

Allows a user to run maintenance mode.

Administer Metadata

Manage metadata fields and sections added to secrets and users in Secret Server.

Administer Nodes

Allows a user to view and edit server nodes and clustering settings. On-Premise only.

Administer OpenID Connect

Allows a user to manage OpenID connections.

Administer Password Requirements

Allows a user to view and edit character sets and password requirements.

Administer Pipelines

Allows a user to create, edit, and remove event pipelines and event pipeline policies.

Administer Platform Integration

Allows a user to manage the Secret Server connection to the Delinea platform.

Administer Remote Password Changing

Allows a user to turn Heartbeat and Remote Password Changing on and off globally. Also allows users to create new password changers and install password changing agents on remote machines.

Administer Reports

Allows a user to view, edit, delete, and create reports. Also allows users to customize report categories.

Administer Role Assignment

Allows a user to view which users and groups are assigned to which roles. Also allows users to assign users and groups to different roles.

Administer Role Permissions

Allows a user to view, edit, create and delete roles. Also allows users to assign different permissions to each role.

Administer Scripts

Allows a user to view and edit PowerShell, SQL, and SSH scripts on the Scripts Administration page.

Administer Search Indexer

Allows a user to view and edit search indexer options. These options control how searching in Secret Server works. For example, a user with this role permission could enable search indexing, which allows users to search on fields within a secret.

Administer Secret Policy

Allows a user to create and edit Secret Policies.'

Administer Secret Templates

Allows a user to view, edit, disable, and create Secret Templates.

Administer Security Analytics

Allows a user to view and edit the settings for Privilege Behavior Analytics.

Administer Session Monitoring

Allows a user to view and terminate active launcher sessions.

Administer SSH Cipher Suite

Allows a user to manipulate SSH cipher suite settings.

Administer SSH Menus

Allows a user to edit and create SSH Menus, used in allowlisting commands that can be used on a SSH session.

Administer System Log

Allows users to view and clear the System Log, which shows general diagnostics information for Secret Server.

Administer Teams

Users can create, delete, and view all teams.

Administer Template Custom Columns

Allows a user to enable the "Expose for Display" setting of a Secret template field to make it available for use in Dashboard custom columns.

Administer Users

Allows a user to create, disable, and edit users in the system.

This permission also allows a user to create and edit SDK/CLI rules.

Administer Workflows

Allows users to manage workflows (advanced access management).

Advanced Import

Allows a user to import Secrets from an XML file. Users with the this permission can import groups, folders, site connectors, sites, and secret templates, without having to create a secret. Users must have the Secret Server permissions needed for the objects listed in the XML.

Allow Access Challenge

Allows a user be challenged by Privileged Behavior Analytics if their behavior deviates from their normal behavior and meets certain requirements set by Privileged Behavior Analytics. Administrators do not have this permission by default.

Allow List Secret Access for Assigning Policy

This permission grants ability to assign a secret policy to a folder or secret if the user only has list access to the privileged account. This permission only applies to restrictions on the privileged accounts of the secret policy. Without this permission, the user must have view access on the privileged account or will be unable to assign the secret policy.

There are security concerns for assigning a policy with a privileged account the user does not have view access on since the policy will allow an internal threat actor to create a secret with this policy to gain access to resets by the privileged account, rendering them inherit access to the privileged account.

Approve via Duo Push

Allow a user to approve access requests via Duo push notifications. Administrators do not have this permission by default.

Assign Pipelines

Allows the user to assign an event pipeline policy to secret policies, or folders.

Assign Secret Policy

Allows a user to assign Secret Policies to folders and secrets.

Browse Reports

The "Browse Reports" role allows access to reports restricted by permissions. Permissions are configurable at the category and report levels and share a similar inheritance model to secrets and folders. You can define users or groups with "view" or "edit" permissions for each category or report.

Users with the existing "view reports" and "edit reports" roles are not restricted by the permissions set.

Bypass Direct API Authentication Restriction

Allows users to ignore the PreventDirectApiAuthentication advanced setting and log in via the API with a non-application account.

Bypass SAML Login

Allows a user to login with local account without using SAML.

Copy Secret

Allows a user to copy secrets when that user also has Own Secret role permission.

Create Root Folders

Allows a user to create new folders at the root level of the folder structure.

Deactivate Secret

Allows a user to mark secrets as deactivated.

Deactivate Secrets from Reports

Allows a user to run the deactivate Secrets action from a report.

Download Automatic Export

The user can view all of the automatic export tabs and download exports from cloud storage (cloud customers only).

Edit Secret

Allows a user to edit secrets. Note that they still require the "Edit" or "Owner" permissions on the individual secrets they are editing.

Erase Secret

Allows a user to permanently erase (as opposed to deactivate, which is reversible) a secret.

Expire Secrets from Reports

Allows a user to expire Secrets listed in a report.'

Force Check In

Allows a user to force a secret that is checked out by another user to be checked in.

Migrate Data to Platform

This permission will be automatically applied to roles that contain both the Administer Users and Administer Platform Integration role permissions. This permission allows a user to migrate certain information to the connected Delinea Platform instance. Without a connected Delinea Platform instance the permission has no effect.

Own Group

Allows a user to be an owner of a group. This permission is in the default Group Owner role, which is automatically assigned when that user is set as owner of a group.

Own Secret

Formerly "Share Secret", allows a user to share secrets with other users. Also allows users to perform more advanced tasks on secrets of which they are "Owners", such as configuring expiration schedules, configuring the web launcher, converting secret template, and copying secrets (when a user also have the Copy Secret role permission.)

Own User

Allows the user to become a user owner, used to configure specific users without the Administer Users permission.

Personal Folders

Allows a user to have personal folder when the global personal folders configuration options is enabled.

Privilege Manager Administrator

Allows the user to have the "Administrator" role for Privilege Manager, giving full access to the system.

Privilege Manager Helpdesk User

Allows the user to have the "Help Desk" role for Privilege Manager, giving full access to approve or deny escalation requests.

Privilege Manager MacOS Admin

Allows the user to have the MacOS "Administrator" role for Privilege Manager, giving full access to the system.

Privilege Manager Unix/Linux Admin

Allows the user to have management permissions to Unix/Linux policies and machines.

Privilege Manager User

Allows the user to have the "User" role for Privilege Manager, giving read and write permissions to most items, but not rights to modify security permissions. Administrators do not have this permission by default.

Privilege Manager Windows Administrator

Allows the user to have the Windows "Administrator" role for Privilege Manager, giving full access to the system.

Rotate Encryption Keys

Allows a user to start a process that rotates the Secret encryption keys.

Run Automatic Export

The user can view all of the automatic export tabs and run the export manually by clicking the Run Export button.

Run Disaster Recovery Data Replication

Allows user to initiate or test Data Replication.

Run Scripts

Separates privileges in script management. Holders of the "View Scripts" role permission cannot execute test runs of scripts, and this permission must be assigned to perform this task.

Administer Scripts remains unchanged and allows view, edit, and run permissions.

Secret Launch

Dictates whether or not a user can launch a secret. Previously, a user could launch a secret if their user's role had the "View Secret" permission. As of Version 11.5, a user needs this permission to launch. A user will also need the "Secret Launch Remote Access (Platform)" permission to be able to launch a Remote Session with (RAS)

Secret Launch Remote Access (Platform)

Dictates whether or not a user can launch a secret. Previously, a user could launch a secret if their user's role had the "View Secret" permission. As of Version 11.5, a user needs this permission to launch a remote session with RAS.

Session Recording Auditor

Grants access to the session recording of a secret to a user with at least "List Access" permission on the secret. Administrators do not have this permission by default.

Users also need the "View Session Monitoring" permission to view the recordings in Secret Server.

Unlimited Administrator

Allows a user to view and edit all secrets in the system, regardless of permissions, when Unlimited Admin Mode is on. Note that another user with the "Administer Configuration Unlimited Admin" role permission would still need to turn this mode on. See Unlimited Administration Mode.

Unrestricted by Teams

Users can view all users, groups, and sites, regardless of team affiliation. Essentially, teams do not exist for the users with this permission, and the Teams page is not available to them. The default user role has this permission.

User Audit Expire Secrets

Allows a user to view the "User Audit" report, which shows all secrets that have been accessed by a particular user in a specified date range. Also allows the user to force expiration on all these secrets, which would make Secret Server automatically change the password.

View About

Allows a user to view the "About" page from the Help menu, which links to external resources such as Technical Support and the Delinea blog.

View Active Directory

Allows a user to view, but not edit, the Active Directory settings in the system.

View Advanced Dashboard

Allows a user to view advanced dashboard. Without this permission, users will only be able to view basic dashboard.

View Advanced Secret Options

Allows a user to view the Remote Password Changing, Security, and Dependency tabs on a Secret they have access to. Users must be able to successfully edit TOTP codes to view advanced secret options.

View All Session Recordings

Allows a user to view recorded sessions within Secret Server.

View Automatic Export

The user can view all of the automatic export tabs.

View Backup

Allows a user to view, but not edit, the automated backup settings. On-Premises only.

View Configuration

Allows a user to view, but not edit, general configuration settings.

View Configuration Proxying

Allows a user to view, but not edit, SSH Proxy settings.

View Configuration SAML

Allows a user to view SAML integration settings on the Login tab of Configuration settings.

View Configuration Security

Formerly "View Security Configuration," allows a user to view the security configuration of Secret Server.

View Configuration Session Recording

Allows a user to view session recording settings on the Session Recording tab of Configuration settings.

View Configuration Two Factor

Allows a user to view the configuration settings of the two factor authentication that are available for users logging into Secret Server.

View Configuration Unlimited Admin

Formerly "View Unlimited Admin Configuration," allows a user to view the Unlimited Admin Mode configuration. Also allows a user to view the Unlimited Admin Mode audit log.

View ConnectWise Integration

Allows a user to view, but not edit, the ConnectWise integration settings.

View Data Retention

Can view retained audit data. This permission does not automatically come with the Administrator role.

View DevOps Secrets Vault Tenants

View (not edit) the DSV tenants set to synchronize with Secret Server.

View Disaster Recovery

Allows a user to view configuration, logs and audits for Disaster Recovery.

View Discovery

Allows a user to view, but not edit, computers and accounts that are found by Discovery.

View Distributed Engine Configuration

Allows a user to view the Distributed Engine configuration.

View DoubleLock Keys

Allows a user to view which DoubleLock or QuantumLock keys exist in the system.

View Dual Control

Allows a user to view configured Dual Control settings for reports and Secret sessions.

View Event Subscriptions

Allows a user to view event subscriptions.

View Enterprise Objects

Allows a user to view user and secret metadata.

View Export

Allows a user to view the export log of the system to see when users exported secrets. Does not allow a user to export.

View Folders

Allows a user to view, but not edit, folders in the system.

View Group Roles

Allows a user to see which groups and users are assigned to which roles. Does not allow a user to change these assignments.

View Groups

Allows a user to see which groups exist in the system. Also allows a user to see which users belong to each group.

View HSM

Allows a user to view the Hardware Security Module (HSM) configuration settings. On-premises only.

View Inactive Secrets

Allows a user to view Secrets that have been deactivated in the system. This does not allow viewing of erased secrets, which are permanently gone.

View IP Addresses

Allows a user to view IP Address Ranges that have been created to restrict access. Does not allow a user to edit these ranges.

View Jumpbox Route

Allows a user to view the details of all jump server routes in the Admin Jumpbox Route page but not make any changes.

View Key Management

Allows a user to view the Key Management settings ( Secret Server Cloud only).

View Launcher Password

Allows a user to unmask the password on the view screen of secrets with a launcher. Typically, this includes Web Passwords, Active Directory accounts, Local Windows accounts, and Linux accounts.

View Licenses

Allows a user to view, but not edit, the licenses in the system.

View Lists

View lists and list contents in Admin > Lists.

View Nodes

Allows a user to view, but not edit, the Secret Server web server nodes. On-premises only.

View OpenID Connect

View OpenID Connect integration settings in the Configuration Login tab. This replaces the Delinea One equivalent.

View Own Session Recordings

Restricts a user to only viewing the recordings that user initiated. If the user with this permission clicks on a recording initiated and owned by another user, he or she will get an Access Denied window.

View Password Requirements

Allows a user to view character sets and password requirements.

View Pipelines

Allows a user to view event pipeline policies and policy activities.

View Platform Integration

Allows a user to view the Secret Server connection to the Delinea platform.

View Remote Password Changing

Allows a user to view, but not edit, Heartbeat and Remote Password Changing settings.

View Reports

Allows a user to view, but not edit, reports. See "Browse Reports."

View Roles

Allows a user to view roles in the system. Also allows a user to see which groups are assigned to which roles.

View Scripts

Allows a user to view PowerShell, SQL, and SSH scripts on the Scripts Administration page.

View Search Indexer

Allows a user to view, but not edit, search indexer settings.

View Secret

Allows a user to only view which Secrets exist in the system.

Prior to version 11.4, this controlled if a user could launch a secret. It has been supplanted with Secret Launch and Secret Launch Remote Access (Platform) for launching.

View Secret Audit

Allows a user to view Secret Audit.

View Secret Password and Private Key History

Allows a user to see the history of passwords, private keys, or passphrases in both old and new UI.

View Secret Policy

Allows a user to view, but not edit, Secret Policies.

View Secret Templates

Allows a user to view, but not edit, Secret Templates.

View Security Analytics

Allows a user to view, but not edit, settings for Privilege Behavior Analytics.

View Security Hardening Report

Allows a user to view the Security Hardening Report.

View Session Monitoring

Allows a user to view active launcher sessions.

View Session Recording Audit

Allow a user to view audits of recorded sessions.

View SSH Menus

Allows a user to view existing SSH Menus, used in allow-listing commands that can be used on a SSH session.

View SSH Cipher Suite

Allows a user to view SSH cipher suite settings.

View System Log

Allows a user to only view the System Log, which shows general diagnostics information for Secret Server.

View Teams

Users can view all teams. This is essentially a read-only Administer Teams.

View User Audit Report

Allows a user to view, but not edit, the User Audit Report.

View Users

Allows a user to view which users exist in the system.

View Workflows

View (not edit) workflows used for multi-tier secret-access approvals and secret erase requests.

Web Services Impersonate

Allows a user to send an approval request to act as another user within their organization when accessing Secret Server programmatically. Administrators do not have this permission by default.