Overview of Users, Roles, User Groups, and User Teams

Users

Users in Secret Server represent individual people, each with a unique username and other attributes. Users are assigned to groups, and roles are assigned to them either directly or via groups. This setup allows for granular control over what each user can access and perform within the system.

Roles and Role Permissions

Roles

Secret Server uses a role-based access control (RBAC) mechanism to regulate system access. Each user and group must be assigned to a role. Secret Server ships with three default roles: Administrator, User, and Read-Only User. Each role contains various permissions to match the job function of the user. Roles can be customized by assigning multiple permissions to a role, which can then be assigned to a user or group.

The Unlimited Administrator permission allows the user to have unlimited administrator rights when Unlimited Administrator is enabled in the configuration. By default, it is disabled.
To see the built-in roles and what permissions they possess, click the desired role link on the Admin > Roles page.

Role Permissions

Role permissions in Secret Server are granular and can be assigned to roles to control what actions users can perform. Some examples of role permissions include:

  • View Active Directory: Allows a user to view, but not edit, Active Directory settings.
  • View Configuration: Allows a user to view, but not edit, general configuration settings.
  • View Secret: Allows a user to view which secrets exist in the system.
  • Administer Teams: Allows a user to create, edit, and view all teams.
For a comprehensive list of role permissions, visit the Secret Server Role Permissions List.

User Groups

User groups in Secret Server allow administrators to manage users collectively. Users can belong to different groups and inherit the sharing permissions and roles attributed to those groups. This simplifies the management of permissions and roles that can be assigned to a user. Groups can also be synchronized with Active Directory to further streamline management.

For a comparison of user groups and teams, see User Teams Overview.

User Teams

User teams in Secret Server are special groups created to restrict what users can see. A team bundles users and groups to assign them the same rules regarding visibility of other users and sites. This is particularly useful for managed service providers or large companies that need to isolate users by department or customer.

Team-related permissions include:

  • Administer Teams: Users can create, edit, and view all teams.
  • Unrestricted by Teams: Users can view all users, groups, and sites, regardless of team affiliation.
  • View Teams: Users can view all teams.
For a more in-depth overview, including a comparison of user groups and teams, see User Teams Overview.