Secret Server Role Permissions List
Overview
Secret Server uses role-based access control (RBAC) to regulate permissions. The roles are assigned to users or groups. A complete list of the permissions available to roles appears below:
Adding a jumpbox route to a target secret: A user must have owner permissions on a secret to assign, change, or remove that secret’s jump server route. Additionally, users are only able to pick from a list of routes where they have at least list permission on the first jump route server. Editing Jumpbox Routes: Users must have the “Administer Jumpbox Route” permission to create, edit, or deactivate jump server routes. Users with the “View Jumpbox Route” permission can view the details of all jump server routes in the Admin Jumpbox Route page, but they cannot make any changes.
Complete List
Access Offline Secrets on Mobile
Allows a user to cache their Secrets in the Secret Server mobile application for offline use. This permission does not automatically come with the Administrator role.
Add from External Directory
Add users from external directory. Cloud only.
Add Secret
Allows a user to create new Secrets. The Add permission no longer include the role permission View Secret.
Add Secret Custom Audit
Allows a user to make a custom audit entry when accessing a Secret using the web services API.
Administer Active Directory
Allows a user to view domains, edit existing domains, delete domains, and add new domains. Also allows a user to force synchronization or set the synchronization interval.
Administer Automatic Export
The user can do everything the other automatic export permissions allow and edit the automatic export configuration.
Administer Backup
Allows a user to view and configure automated backups for Secret Server. Users with this role permission can change the backup path, disable backups, and set the backup schedule. On-Premises only.
Administer Configuration
Allows a user to view and edit general configuration options. For example, a user with this role permission can turn on "Force HTTPS/SSL" and disable "Allow Remember Me".
Administer Configuration Proxying
Allows a user to view and edit SSH Proxy settings.
Administer Configuration SAML
Allows a user to view and edit SAML integration settings on the Login tab of Configuration settings.
Administer Configuration Security
Formerly "Administer Security Configuration," allows a user to view and edit security configuration options in Secret Server. Currently, these include enabling FIPS compliance mode and protecting the encryption key.
Administer Configuration Session Recording
Allows a user to view and edit session recording settings on the Session Recording tab of Configuration settings.
Administer Configuration Two Factor
Allows a user to change the configuration settings of the two factor authentication that are available for users logging into Secret Server.
Administer Configuration Unlimited Admin
Formerly "Administer Unlimited Admin Configuration," allows a user to turn on Unlimited Admin Mode. When this mode is enabled, users with the "Unlimited Administrator" role permission can view and edit all Secrets in the system, regardless of permissions. Note that you can assign "Administer Unlimited Admin Configuration" to one user and "Unlimited Administrator" to another user. This would require one user to turn on the mode and another user to view and edit secrets.
Administer ConnectWise Integration
Allows a user to view and edit configuration options for synchronizing with ConnectWise. This can be accessed through the "Folder Synchronization" link on the Administration page. Note that you need at least view access on the sync folder in order to set up or edit the ConnectWise integration.
Administer Create Application Accounts
Formerly "Create Application Account", allows a user to create application user accounts to be used exclusively for accessing Secret Server via the API. This permission allows for creating user accounts without the Administer Users or Administer Create Users permissions.
Administer Create Users
Allows a user to create new local users in Secret Server, but not edit them once created.
Administer Custom Password Requirements
Allows a user to view and edit custom password requirements that can be configured under the Security tab for individual Secrets.
Administer Data Retention
Can manage audit data retention, such as editing and running now. This permission does not automatically come with the Administrator role.
Administer DevOps Secrets Vault Tenants
Add, remove, and edit DSV tenants that automatically synchronize with Secret Server on a schedule.
Administer Disaster Recovery
Allows a user to configure instances as data sources or replicas for Disaster Recovery. Also allows user to initiate or test Data Replication and view related logs and audits.
Administer Discovery
Allows a user to view and import computers and accounts that are found by Discovery.
Administer Distributed Engine Configuration
Allows a user to update the Distributed Engine configuration.
Administer DoubleLock Keys
Allows a user to view, edit, create, and disable DoubleLock and QuantumLock keys. A DoubleLock or QuantumLock key acts as a separate encryption key to protect your most sensitive secrets. This option allows users to access and use the DoubleLocks/QuantumLocks link on the Administration page.
Administer Dual Control
Allows a user to view, edit, create, and disable Dual Control settings for reports and recorded sessions.
Administer Event Subscriptions
Allows a user to view, edit and create event subscriptions.
Administer Export
Allows a user to view the export log. Also allows users to export Secrets to which they have access to a clear text, CSV file.
Administer Folders
Allows a user to view, edit, create, move, and delete folders. Users still need the relevant view, edit, and owner permissions on the folders to perform these tasks.
Administer Groups
Allows a user to view, edit, create, and disable groups. Also allows users to assign users to groups and remove users from groups.
Administer HSM
Allows a user to change configuration or disable the use of a Hardware Security Module (HSM). On-Premise only.
Administer Inbox
Administer notification settings for the inbox.
Administer IP Addresses
Allows a user to create, edit, and delete IP Address Ranges. These ranges are used to restrict certain users to specific IP Addresses.
Administer Jumpbox Route
Allows a user to create, edit, or deactivate jump server routes.
Administer Key Management
Allows a user to enable, change, or disable the Key Management ( Secret Server Cloud only).
Administer Languages
Allows a user to change the default language of Secret Server.
Administer Licenses
Allows a user to view, edit, install, and delete licenses.
Administer Lists
Allows a user to add, remove, and modify lists and list contents in Admin > Lists.
Administer Maintenance Mode
Allows a user to run maintenance mode.
Administer Metadata
Manage metadata fields and sections added to secrets and users in Secret Server.
Administer Nodes
Allows a user to view and edit server nodes and clustering settings. On-Premise only.
Administer OpenID Connect
Allows a user to manage OpenID connections.
Administer Password Requirements
Allows a user to view and edit character sets and password requirements.
Administer Pipelines
Allows a user to create, edit, and remove event pipelines and event pipeline policies.
Administer Platform Integration
Allows a user to manage the Secret Server connection to the Delinea platform.
Administer Remote Password Changing
Allows a user to turn Heartbeat and Remote Password Changing on and off globally. Also allows users to create new password changers and install password changing agents on remote machines.
Administer Reports
Allows a user to view, edit, delete, and create reports. Also allows users to customize report categories.
Administer Role Assignment
Allows a user to view which users and groups are assigned to which roles. Also allows users to assign users and groups to different roles.
Administer Role Permissions
Allows a user to view, edit, create and delete roles. Also allows users to assign different permissions to each role.
Administer Scripts
Allows a user to view and edit PowerShell, SQL, and SSH scripts on the Scripts Administration page.
Administer Search Indexer
Allows a user to view and edit search indexer options. These options control how searching in Secret Server works. For example, a user with this role permission could enable search indexing, which allows users to search on fields within a secret.
Administer Secret Policy
Allows a user to create and edit Secret Policies.'
Administer Secret Templates
Allows a user to view, edit, disable, and create Secret Templates.
Administer Security Analytics
Allows a user to view and edit the settings for Privilege Behavior Analytics.
Administer Session Monitoring
Allows a user to view and terminate active launcher sessions.
Administer SSH Cipher Suite
Allows a user to manipulate SSH cipher suite settings.
Administer SSH Menus
Allows a user to edit and create SSH Menus, used in allowlisting commands that can be used on a SSH session.
Administer System Log
Allows users to view and clear the System Log, which shows general diagnostics information for Secret Server.
Administer Teams
Users can create, delete, and view all teams.
Administer Template Custom Columns
Allows a user to enable the "Expose for Display" setting of a Secret template field to make it available for use in Dashboard custom columns.
Administer Users
Allows a user to create, disable, and edit users in the system.
Administer Workflows
Allows users to manage workflows (advanced access management).
Advanced Import
Allows a user to import Secrets from an XML file. Users with the this permission can import groups, folders, site connectors, sites, and secret templates, without having to create a secret. Users must have the Secret Server permissions needed for the objects listed in the XML.
Allow Access Challenge
Allows a user be challenged by Privileged Behavior Analytics if their behavior deviates from their normal behavior and meets certain requirements set by Privileged Behavior Analytics. Administrators do not have this permission by default.
Allow List Secret Access for Assigning Policy
This permission grants ability to assign a secret policy to a folder or secret if the user only has list access to the privileged account. This permission only applies to restrictions on the privileged accounts of the secret policy. Without this permission, the user must have view access on the privileged account or will be unable to assign the secret policy.
Approve via Duo Push
Allow a user to approve access requests via Duo push notifications. Administrators do not have this permission by default.
Assign Pipelines
Allows the user to assign an event pipeline policy to secret policies, or folders.
Assign Secret Policy
Allows a user to assign Secret Policies to folders and secrets.
Browse Reports
The "Browse Reports" role allows access to reports restricted by permissions. Permissions are configurable at the category and report levels and share a similar inheritance model to secrets and folders. You can define users or groups with "view" or "edit" permissions for each category or report.
Bypass Direct API Authentication Restriction
Allows users to ignore the PreventDirectApiAuthentication advanced setting and log in via the API with a non-application account.
Bypass SAML Login
Allows a user to login with local account without using SAML.
Copy Secret
Allows a user to copy secrets when that user also has Own Secret role permission.
Create Root Folders
Allows a user to create new folders at the root level of the folder structure.
Deactivate Secret
Allows a user to mark secrets as deactivated.
Deactivate Secrets from Reports
Allows a user to run the deactivate Secrets action from a report.
Download Automatic Export
The user can view all of the automatic export tabs and download exports from cloud storage (cloud customers only).
Edit Secret
Allows a user to edit secrets. Note that they still require the "Edit" or "Owner" permissions on the individual secrets they are editing.
Erase Secret
Allows a user to permanently erase (as opposed to deactivate, which is reversible) a secret.
Expire Secrets from Reports
Allows a user to expire Secrets listed in a report.'
Force Check In
Allows a user to force a secret that is checked out by another user to be checked in.
Migrate Data to Platform
This permission will be automatically applied to roles that contain both the Administer Users and Administer Platform Integration role permissions. This permission allows a user to migrate certain information to the connected Delinea Platform instance. Without a connected Delinea Platform instance the permission has no effect.
Own Group
Allows a user to be an owner of a group. This permission is in the default Group Owner role, which is automatically assigned when that user is set as owner of a group.
Own Secret
Formerly "Share Secret", allows a user to share secrets with other users. Also allows users to perform more advanced tasks on secrets of which they are "Owners", such as configuring expiration schedules, configuring the web launcher, converting secret template, and copying secrets (when a user also have the Copy Secret role permission.)
Own User
Allows the user to become a user owner, used to configure specific users without the Administer Users permission.
Personal Folders
Allows a user to have personal folder when the global personal folders configuration options is enabled.
Privilege Manager Administrator
Allows the user to have the "Administrator" role for Privilege Manager, giving full access to the system.
Privilege Manager Helpdesk User
Allows the user to have the "Help Desk" role for Privilege Manager, giving full access to approve or deny escalation requests.
Privilege Manager MacOS Admin
Allows the user to have the MacOS "Administrator" role for Privilege Manager, giving full access to the system.
Privilege Manager Unix/Linux Admin
Allows the user to have management permissions to Unix/Linux policies and machines.
Privilege Manager User
Allows the user to have the "User" role for Privilege Manager, giving read and write permissions to most items, but not rights to modify security permissions. Administrators do not have this permission by default.
Privilege Manager Windows Administrator
Allows the user to have the Windows "Administrator" role for Privilege Manager, giving full access to the system.
Rotate Encryption Keys
Allows a user to start a process that rotates the Secret encryption keys.
Run Automatic Export
The user can view all of the automatic export tabs and run the export manually by clicking the Run Export button.
Run Disaster Recovery Data Replication
Allows user to initiate or test Data Replication.
Run Scripts
Separates privileges in script management. Holders of the "View Scripts" role permission cannot execute test runs of scripts, and this permission must be assigned to perform this task.
Administer Scripts remains unchanged and allows view, edit, and run permissions.
Secret Launch
Dictates whether or not a user can launch a secret. Previously, a user could launch a secret if their user's role had the "View Secret" permission. As of Version 11.5, a user needs this permission to launch. A user will also need the "Secret Launch Remote Access (Platform)" permission to be able to launch a Remote Session with (RAS)
Secret Launch Remote Access (Platform)
Dictates whether or not a user can launch a secret. Previously, a user could launch a secret if their user's role had the "View Secret" permission. As of Version 11.5, a user needs this permission to launch a remote session with RAS.
Session Recording Auditor
Grants access to the session recording of a secret to a user with at least "List Access" permission on the secret. Administrators do not have this permission by default.
Unlimited Administrator
Allows a user to view and edit all secrets in the system, regardless of permissions, when Unlimited Admin Mode is on. Note that another user with the "Administer Configuration Unlimited Admin" role permission would still need to turn this mode on. See Unlimited Administration Mode.
Unrestricted by Teams
Users can view all users, groups, and sites, regardless of team affiliation. Essentially, teams do not exist for the users with this permission, and the Teams page is not available to them. The default user role has this permission.
User Audit Expire Secrets
Allows a user to view the "User Audit" report, which shows all secrets that have been accessed by a particular user in a specified date range. Also allows the user to force expiration on all these secrets, which would make Secret Server automatically change the password.
View About
Allows a user to view the "About" page from the Help menu, which links to external resources such as Technical Support and the Delinea blog.
View Active Directory
Allows a user to view, but not edit, the Active Directory settings in the system.
View Advanced Dashboard
Allows a user to view advanced dashboard. Without this permission, users will only be able to view basic dashboard.
View Advanced Secret Options
Allows a user to view the Remote Password Changing, Security, and Dependency tabs on a Secret they have access to. Users must be able to successfully edit TOTP codes to view advanced secret options.
View All Session Recordings
Allows a user to view recorded sessions within Secret Server.
View Automatic Export
The user can view all of the automatic export tabs.
View Backup
Allows a user to view, but not edit, the automated backup settings. On-Premises only.
View Configuration
Allows a user to view, but not edit, general configuration settings.
View Configuration Proxying
Allows a user to view, but not edit, SSH Proxy settings.
View Configuration SAML
Allows a user to view SAML integration settings on the Login tab of Configuration settings.
View Configuration Security
Formerly "View Security Configuration," allows a user to view the security configuration of Secret Server.
View Configuration Session Recording
Allows a user to view session recording settings on the Session Recording tab of Configuration settings.
View Configuration Two Factor
Allows a user to view the configuration settings of the two factor authentication that are available for users logging into Secret Server.
View Configuration Unlimited Admin
Formerly "View Unlimited Admin Configuration," allows a user to view the Unlimited Admin Mode configuration. Also allows a user to view the Unlimited Admin Mode audit log.
View ConnectWise Integration
Allows a user to view, but not edit, the ConnectWise integration settings.
View Data Retention
Can view retained audit data. This permission does not automatically come with the Administrator role.
View DevOps Secrets Vault Tenants
View (not edit) the DSV tenants set to synchronize with Secret Server.
View Disaster Recovery
Allows a user to view configuration, logs and audits for Disaster Recovery.
View Discovery
Allows a user to view, but not edit, computers and accounts that are found by Discovery.
View Distributed Engine Configuration
Allows a user to view the Distributed Engine configuration.
View DoubleLock Keys
Allows a user to view which DoubleLock or QuantumLock keys exist in the system.
View Dual Control
Allows a user to view configured Dual Control settings for reports and Secret sessions.
View Event Subscriptions
Allows a user to view event subscriptions.
View Enterprise Objects
Allows a user to view user and secret metadata.
View Export
Allows a user to view the export log of the system to see when users exported secrets. Does not allow a user to export.
View Folders
Allows a user to view, but not edit, folders in the system.
View Group Roles
Allows a user to see which groups and users are assigned to which roles. Does not allow a user to change these assignments.
View Groups
Allows a user to see which groups exist in the system. Also allows a user to see which users belong to each group.
View HSM
Allows a user to view the Hardware Security Module (HSM) configuration settings. On-premises only.
View Inactive Secrets
Allows a user to view Secrets that have been deactivated in the system. This does not allow viewing of erased secrets, which are permanently gone.
View IP Addresses
Allows a user to view IP Address Ranges that have been created to restrict access. Does not allow a user to edit these ranges.
View Jumpbox Route
Allows a user to view the details of all jump server routes in the Admin Jumpbox Route page but not make any changes.
View Key Management
Allows a user to view the Key Management settings ( Secret Server Cloud only).
View Launcher Password
Allows a user to unmask the password on the view screen of secrets with a launcher. Typically, this includes Web Passwords, Active Directory accounts, Local Windows accounts, and Linux accounts.
View Licenses
Allows a user to view, but not edit, the licenses in the system.
View Lists
View lists and list contents in Admin > Lists.
View Nodes
Allows a user to view, but not edit, the Secret Server web server nodes. On-premises only.
View OpenID Connect
View OpenID Connect integration settings in the Configuration Login tab. This replaces the Delinea One equivalent.
View Own Session Recordings
Restricts a user to only viewing the recordings that user initiated. If the user with this permission clicks on a recording initiated and owned by another user, he or she will get an Access Denied window.
View Password Requirements
Allows a user to view character sets and password requirements.
View Pipelines
Allows a user to view event pipeline policies and policy activities.
View Platform Integration
Allows a user to view the Secret Server connection to the Delinea platform.
View Remote Password Changing
Allows a user to view, but not edit, Heartbeat and Remote Password Changing settings.
View Reports
Allows a user to view, but not edit, reports. See "Browse Reports."
View Roles
Allows a user to view roles in the system. Also allows a user to see which groups are assigned to which roles.
View Scripts
Allows a user to view PowerShell, SQL, and SSH scripts on the Scripts Administration page.
View Search Indexer
Allows a user to view, but not edit, search indexer settings.
View Secret
Allows a user to only view which Secrets exist in the system.
Prior to version 11.4, this controlled if a user could launch a secret. It has been supplanted with Secret Launch and Secret Launch Remote Access (Platform) for launching.
View Secret Audit
Allows a user to view Secret Audit.
View Secret Password and Private Key History
Allows a user to see the history of passwords, private keys, or passphrases in both old and new UI.
View Secret Policy
Allows a user to view, but not edit, Secret Policies.
View Secret Templates
Allows a user to view, but not edit, Secret Templates.
View Security Analytics
Allows a user to view, but not edit, settings for Privilege Behavior Analytics.
View Security Hardening Report
Allows a user to view the Security Hardening Report.
View Session Monitoring
Allows a user to view active launcher sessions.
View Session Recording Audit
Allow a user to view audits of recorded sessions.
View SSH Menus
Allows a user to view existing SSH Menus, used in allow-listing commands that can be used on a SSH session.
View SSH Cipher Suite
Allows a user to view SSH cipher suite settings.
View System Log
Allows a user to only view the System Log, which shows general diagnostics information for Secret Server.
View Teams
Users can view all teams. This is essentially a read-only Administer Teams.
View User Audit Report
Allows a user to view, but not edit, the User Audit Report.
View Users
Allows a user to view which users exist in the system.
View Workflows
View (not edit) workflows used for multi-tier secret-access approvals and secret erase requests.
Web Services Impersonate
Allows a user to send an approval request to act as another user within their organization when accessing Secret Server programmatically. Administrators do not have this permission by default.