User Teams Overview

Purpose of User Teams

With Secret Server teams, administrators can create special groups called teams to restrict what users can see. A team bundles users and groups to assign them the same rules as to what other users and sites are visible to them. For example, a managed service provider could isolate their customers from seeing other customer's user accounts or a large company could "firewall" their users by department. Site visibility can also be restricted by teams.

Teams are designed for shared secrets and do not apply to Secret Server administration as a whole.
Users without any team-related permissions are subject to team restrictions. The Unrestricted by Teams permission must be present to remove them. That is why the User role comes with that permission by default. See Team-Related Permissions.
Team restrictions are designed for regular users so granting additional administrative permissions can override the restriction. This applies to group owners, so if a user is assigned as a group owner, that user will be able to see all users when assigning members.

Team-Related Permissions

Team visibility and management are controlled by user roles. Those roles, and by extension users, are governed by the following team-related role permissions:

  • Administer Teams: Users can create, edit, and view all teams.
  • No Teams-related Permissions: Users can only view other users within their team.
  • Unrestricted by Teams: Users can view all users, groups, and sites, regardless of Team affiliation. Essentially, teams do not exist for the users with this permission, and the Teams page is not available to them. The default user role has this permission.
  • View Teams: Users can view all teams. This is essentially a read-only Administer Teams.

User Teams Versus User Groups

User teams and user groups in Secret Server serve different purposes and offer distinct functions. Here is a detailed comparison to highlight their differences and why user teams cannot be fully replaced by user groups and vice versa:

User Groups

  • Purpose: User groups are primarily used to manage users collectively and simplify the assignment of permissions and roles.

  • Functionality:

    • Users can belong to multiple groups.
    • Groups can be synchronized with Active Directory.
    • Permissions and roles assigned to a group are inherited by all users within that group.

  • Use Case: Ideal for managing permissions and roles for a set of users who need similar access rights and capabilities within Secret Server.

User Teams

  • Purpose: User teams are designed to restrict what users can see, particularly useful for isolating visibility of users and sites.

  • Functionality:

    • Teams bundle users and groups to assign them the same visibility rules.
    • Teams can restrict site visibility, ensuring that users in one team cannot see users or sites assigned to another team.
    • Team-related permissions control visibility and management of teams.

  • Use Case: Ideal for scenarios where visibility needs to be restricted, such as isolating departments within a large company or separating customers in a managed service provider setup.

Key Differences

Visibility Control

  • User Groups: Primarily manage permissions and roles but do not inherently restrict visibility of other users or sites.
  • User Teams: Specifically designed to control and restrict visibility of users and sites, ensuring isolation between different teams.

Granularity

  • User Groups: Focus on collective management of permissions and roles.
  • User Teams: Focus on visibility restrictions, which can be more granular and specific to organizational needs.

Use Case Suitability

  • User Groups: Suitable for managing access rights and permissions across users who need similar capabilities.
  • User Teams: Suitable for scenarios requiring strict visibility controls and isolation between different sets of users.

Conclusion

While user groups are effective for managing permissions and roles, they do not offer the same level of visibility control as user teams. User teams provide a more granular approach to restricting what users can see, which is essential for certain organizational structures and security requirements.