RBAC grants permissions based on pre-defined job roles. Users are assigned to roles; roles carry permissions. This is the foundational model inside Delinea Secret Server.
How RBAC Works
Access decisions are based solely on the role(s) a user is assigned. A role bundles a set of permissions โ such as View Secret, Edit Secret, or Own Secret. Permissions never attach directly to users.
Secret Server Roles
Secret Server ships with built-in roles (Administrator, User, Read Only) and allows administrators to create custom roles. Roles are assigned at the user level and drive access to secrets and administrative functions.
Click checkboxes to grant/revoke permissions for each role. Observe how the same secret behaves differently for different users.
Select a user on the left, then select a role on the right to simulate assigning the role in Secret Server.
Users
Roles
Implementing RBAC in Secret Server
-
Navigate to Admin โ RolesIn the Secret Server admin console, go to Admin > Configuration > Roles. This is your central hub for role management.
-
Create or Select a RoleClick Create Role and name it by job function (e.g., "Network Ops", "DB Admins"). Avoid broad names like "Power User" in production โ specificity reduces sprawl.
-
Assign Permissions to the RoleCheck only the permissions required by that function. Secret-level permissions (View, Edit, Own) are separate from admin-level permissions (Create Users, Manage Roles).
-
Assign Users to the RoleNavigate to Admin > Users, select a user, then use the Roles tab to add the role. A user can hold multiple roles; effective permission is the union of all assigned roles.
-
Apply Roles to Secret FoldersIn the Secrets folder tree, open a folder's Security tab and assign the role with specific folder-level permissions. This creates the folder-to-role-to-user chain that RBAC depends on.
# Assign a role to a user via Secret Server REST API POST /api/v1/users/{userId}/roles # Request body { "roleIds": [3], // Role ID 3 = "Network Ops" "userId": 42, // User: alice.martin "operation": "add" } # Response 200 OK { "success": true, "rolesAssigned": [ { "roleId": 3, "roleName": "Network Ops" } ] }
ABAC evaluates attributes of users, resources, and the environment at request time. Delinea implements ABAC primarily through Active Directory group membership driving dynamic policy assignment.
Attributes Drive Decisions
Instead of a static role assignment, ABAC policies evaluate attributes at runtime. In Delinea, the most common user attribute is Active Directory group membership โ giving you dynamic, infrastructure-driven access control.
When to Choose ABAC
Choose ABAC when access must respond to organizational changes automatically. If a user joins the "Network-Admins" AD group, they immediately receive the mapped Secret Server permissions โ no manual re-assignment needed.
Simulate a user joining or leaving an AD group and watch Secret Server policy assignment update in real time.
Below is an example policy that maps AD attributes to Secret Server access levels. Toggle conditions to see combined policy outcomes.
<!-- Active Directory Group Mapping Policy --> <GroupSyncPolicy> <ADGroup> <Name>CN=Network-Admins,OU=Groups,DC=corp,DC=local</Name> <SyncEnabled>true</SyncEnabled> <MappedSSRole>Network Operations</MappedSSRole> <FolderPermissions> <Folder path="/Network Devices"> <Permission>View, Edit</Permission> </Folder> </FolderPermissions> <SyncInterval>Every 30 min</SyncInterval> </ADGroup> <ADGroup> <Name>CN=DB-Admins,OU=Groups,DC=corp,DC=local</Name> <MappedSSRole>Database Administrators</MappedSSRole> <FolderPermissions> <Folder path="/Databases"> <Permission>View, Edit, Copy Password</Permission> </Folder> </FolderPermissions> </ADGroup> </GroupSyncPolicy>
-
Configure AD Domain in Secret ServerGo to Admin > Active Directory. Add your domain, provide sync credentials, and test the LDAP/S connection. Enable Auto-create users on login for seamless onboarding.
-
Create Group Sync MappingsUnder Admin > Active Directory > Group Sync, map each AD group to a Secret Server role or group. Delinea evaluates these at next sync or at user login.
-
Set Sync FrequencyConfigure the sync interval (15โ60 min recommended). For immediate changes, use Synchronize Now. Event-driven sync via webhook is also supported in newer versions.
-
Validate Attribute MappingUse Admin > Diagnostics to run a test sync for a specific user and verify the LDAP attributes are correctly resolving to the expected policies.
Context-Aware access evaluates environmental conditions at the moment of request โ time of day, IP geolocation, and device posture โ to dynamically allow, restrict, or challenge secret access.
โฐ Time of Day
Restrict secret access to business hours only. Access during off-hours triggers MFA step-up or is denied outright โ protecting against overnight credential attacks.
๐ IP / Location
Allowlist trusted IP ranges (corporate offices, VPN exit nodes). Requests from unexpected geolocations or IP blocks are challenged or denied, even for valid credentials.
๐ป Device Type
Require managed, domain-joined devices for high-privilege secrets. Unmanaged or BYOD devices can be limited to view-only or blocked entirely based on certificate posture.
Adjust the environmental conditions below. The policy engine evaluates all conditions and renders an access decision in real time.
Time-Based Restriction
IP Allowlist
192.168.1.0/24 โ HQ Office
172.16.0.0/12 โ Datacenter
Device Certificate Enforcement
// POST /api/v1/secret-policy โ Create Context-Aware Policy { "policyName": "Privileged Secrets - Context Policy", "secretIds": [101, 102, 203], "conditions": { "timeOfDay": { "enabled": true, "allowedDays": ["Mon","Tue","Wed","Thu","Fri"], "allowedStart": "07:00", "allowedEnd": "19:00", "offHoursAction": "RequireMFA" }, "ipRestriction": { "enabled": true, "allowedRanges": ["10.0.0.0/8", "192.168.1.0/24"], "denyAction": "Block" }, "deviceType": { "enabled": true, "requireManagedDevice": true, "unmanaged": "ViewOnly", "byod": "Block" } } }
Test your understanding of RBAC, ABAC, and Context-Aware Access Control as implemented in Delinea Secret Server. Select the best answer for each question.