Module 00 — Introduction
Welcome to Delinea
Credential Manager
Credential Manager
This interactive guide walks you through the complete configuration and management of Delinea Secret Server — from accessing secrets and configuring templates to launching sessions and reviewing audit trails.
What is Delinea Credential Manager?
Delinea Credential Manager is a browser extension and configuration interface integrated into Secret Server, allowing administrators and IT users to securely store, manage, and launch credentials across applications and systems.
Secret Templates
Define and manage 83+ credential templates for different service types — from Active Directory to cloud platforms.
Launchers
Configure 15+ launchers including Chrome, PowerShell, and IBM iSeries to access secrets directly from the vault.
Secret Policies
Enforce security policies like check-out workflows and session recording across groups of secrets.
Password Requirements
Build custom character sets and password rules — including mainframe, SAP, and standard alphanumeric patterns.
Audit Logs
Track every template change, user action, and launcher modification with full timestamped records.
Session Recording
Record and archive sessions with configurable retention periods and access controls.
This guide is structured for both administrators and IT users. Each module builds on the previous, but you can jump to any topic using the sidebar navigation.
Module 01 — Access
Accessing Secret Server & Credential Manager
Learn the navigation path to reach the Delinea Credential Manager configuration panel from Secret Server.
1
Log in to Delinea Secret Server
Navigate to your organization's Secret Server URL and authenticate with your credentials. Ensure your account has administrative privileges for full configuration access.
2
Navigate to Settings
From the main navigation, click the Settings menu in the top toolbar. This opens the central configuration area of Secret Server.
3
Open Administration
Under the Secret Server section within Settings, select Administration to access the administration panel where system-wide configurations are managed.
4
Open Delinea Credential Manager
Locate and click Delinea Credential Manager from the administration list. This opens the User Experience configuration interface where you can control all credential management settings.
Credential Manager — User Experience Panel
Once inside, you'll see options to enable inline popups, configure prompt-to-save and prompt-to-update behavior, manage autofill settings, configure accessible secret templates, and access launcher and session recording settings.
There are two distinct user experience profiles: the default Admin experience and the IT User experience. Each can be configured independently with different template visibility and behavior settings.
Module 02 — Secret Templates
Managing Secret Templates
Secret Templates define the structure and fields for different types of credentials stored in the vault. Delinea ships with 83 built-in templates and supports custom creation.
What are Secret Templates?
Templates are blueprints that determine what fields a secret contains (e.g., username, password, URL), which launchers it supports, and what password policies apply. Every secret in the vault is based on a template.
Built-in Template Examples
| Template Name | Category | Total Secrets | Status |
|---|---|---|---|
| Active Directory Account | Directory Services | 11 | Enabled |
| Amazon IAM Key | Cloud — AWS | 1 | Enabled |
| Azure AD Account | Cloud — Azure | — | Enabled |
| Web Password | Web Applications | — | Enabled |
| Credit Card | Financial | — | Enabled |
| PostgreSQL Account | Databases | — | Enabled |
Managing Templates — Step by Step
📁 Accessing the Templates List
From the Credential Manager User Experience panel, click the Templates Settings link. This opens the Secret Templates management interface showing all 83 templates with their enabled status, total secrets, and actions. Use the search bar to filter by name.
➕ Creating a New Template
Click the Create / Import Template button at the top of the templates list. You'll define the template name, its fields (text, password, URL, file, etc.), and associate password requirements and launchers. After saving, the template becomes available in the vault.
✏️ Enabling / Disabling Templates
Toggle the Enabled switch in the template row to make a template available or unavailable to users. Disabled templates are hidden from secret creation workflows but retain existing secrets.
🎯 Configuring Template Visibility
In the User Experience panel, set which templates users can access — choose from Default (system-defined set), All Templates, or a Custom selection. The IT User profile can be configured separately to show only relevant templates (e.g., Web Password, Credit Card).
Disabling a template does not delete existing secrets created from it. However, new secrets cannot be created using a disabled template. Always review active usage before disabling.
Module 03 — Password Policy
Configuring Password Requirements
Password Requirements define the rules governing how passwords are generated and validated for secrets. Delinea supports multiple named requirement sets to match different system needs.
Built-in Password Requirement Sets
Delinea ships with a default alphanumeric requirement and supports custom requirement sets for specialized systems. IT environments with SAP, mainframe, or custom legacy systems require dedicated requirement profiles.
| Requirement Name | Character Basis | Use Case |
|---|---|---|
| Default | Alphanumeric + Symbols | General web & system passwords |
| Mainframe Password Requirement | Custom character set | IBM mainframe systems |
| SAP Password Requirement | SAP Character Set + SAP Symbol Set | SAP R/3 & S/4HANA environments |
| Notframe | Custom | Non-mainframe legacy systems |
Creating a Password Requirement
1
Navigate to Password Requirements
From Templates Settings, select the Password Requirements tab. You'll see the existing requirement profiles listed.
2
Click "Create Password Requirement"
Enter a Name and Description for the new requirement. Choose a meaningful name that identifies the system it applies to.
3
Set Minimum Password Length
Specify the minimum number of characters required. Industry best practice recommends a minimum of 12 characters for standard accounts, 16+ for privileged accounts.
4
Select Character Set
Choose the character set(s) that the password must draw from. Use the Default set for standard systems, or select specialized sets like SAP Character Set or SAP Symbol Set for platform-specific requirements.
5
Configure Restrictions
Enable options to prevent username inclusion, block spatial/sequential patterns (e.g., "qwerty", "1234"), and optionally enforce custom dictionary word exclusions. Save the requirement when complete.
You can also create custom dictionaries to block organization-specific terms, product names, or common phrases from being used in passwords. Access this via the Custom Dictionaries link on the Password Requirements page.
Module 04 — Character Sets
Managing Character Sets
Character Sets define the exact pool of characters that can be used in generated passwords. They are referenced by Password Requirements to control password composition.
Default Character Sets
| Set Name | Description | Includes | Status |
|---|---|---|---|
| Default | Standard alphanumeric + symbols | a-z, A-Z, 0-9, symbols | Enabled |
| Lower Case | Lowercase letters only | a-z | Enabled |
| Upper Case | Uppercase letters only | A-Z | Enabled |
| Numeric | Digits only | 0-9 | Enabled |
| Symbol | Special characters | !@#$%^&*… | Enabled |
| Upper Case Alphanumeric | Upper + digits | A-Z, 0-9 | Enabled |
| SAP Character Set | SAP-compatible characters | SAP-allowed alpha/numeric | Enabled |
| SAP Symbol Set | SAP-compatible symbols | SAP-allowed special chars | Enabled |
Creating a Custom Character Set
Navigate to Templates Settings → Character Sets and click Create New Set. Provide a name, description, and define the exact characters allowed. Custom sets are immediately available for use in Password Requirements.
🎯 When to Create Custom Character Sets
Create custom character sets when a target system has restrictions on which characters are valid — for example, a legacy database that doesn't accept certain special characters, or a mainframe system with a specific allowed symbol list. Defining the set ensures passwords are always compatible.
🔗 Linking Character Sets to Password Requirements
After creating a character set, associate it with a Password Requirement by selecting it as the basis during requirement creation or editing. A single requirement can reference multiple character sets — e.g., require at least one character from each of Uppercase, Lowercase, Numeric, and Symbol sets.
Module 05 — Launchers
Configuring & Using Launchers
Launchers enable users to connect directly to systems using stored credentials — without copying passwords. Delinea supports 15+ launcher types for various platforms and protocols.
Available Launchers
Creating a New Launcher
1
Navigate to Launchers
From Templates Settings, click the Launchers tab to see the current list of 15 enabled launchers.
2
Click "Create New Launcher"
The Create Launcher form opens. Provide a descriptive Name and Description to clearly identify the launcher's purpose.
3
Set Executable Path & Arguments
Enter the Executable Path (e.g.,
C:\Windows\System32\mstsc.exe for RDP), specify Arguments using Secret field tokens, and optionally set a Working Directory.4
Configure Launch Options
Choose whether to Run as a Different User (useful for privileged tasks) and whether to open in a New Window. These control the runtime behavior of the launched session.
5
Save and Map to Template
Save the launcher, then navigate to the target Secret Template and add the launcher mapping. The launcher will appear as a button when users open a secret of that type.
Launcher Global Settings
Navigate to Settings → Launcher Settings to configure system-wide launcher behavior: enable auto-updates, manage Protocol Handler updates, enable web launcher mapping downloads/uploads, and configure secret check-in/check-out behavior when sessions end.
Web launcher mappings can be exported and imported as configuration files. This is useful for standardizing launcher configurations across multiple Secret Server instances or environments.
Module 06 — Secret Policies
Managing Secret Policies
Secret Policies enforce consistent security behaviors across secrets — including check-out workflows, session recording requirements, and access controls. Policies are applied at the folder or secret level.
Existing Secret Policies
The system comes with pre-configured policies that address common security requirements. Each policy can be enabled or disabled and customized to match organizational needs.
| Policy Name | Key Features | Status |
|---|---|---|
| Check Out and Adv | Requires secret check-out before use; advanced access controls | Enabled |
| Session Recording | Enforces session recording for all launched connections | Enabled |
| Test | Testing/sandbox policy configuration | Enabled |
Creating a New Secret Policy
Step 1: Navigate to Secret Policy Settings
From the Credential Manager User Experience panel, click the Secret Policy Settings link. The policy management page lists all existing policies with their status.
Step 2: Click "Create New Policy"
Click the create button to open the policy creation form. Enter a Policy Name — make it descriptive (e.g., "Database Checkout Required") — and optionally add a Description explaining the policy's purpose. Set the initial State (Enabled by default).
Step 3: Configure Policy Rules
After the policy is created, configure its rules — this includes check-out settings (require checkout, checkout duration, exclusive checkout), session recording requirements, approval workflows, and auto-change settings. Each rule can be set as enforced (mandatory) or default (overridable by secret owners).
Step 4: Apply Policy to Secrets or Folders
Navigate to the target secret or folder, open its settings, and assign the policy in the Secret Policy field. Secrets in a folder inherit the folder's policy unless explicitly overridden.
Setting a policy rule as Enforced means secret owners cannot override it, even with admin privileges. Use this for compliance-critical controls like session recording on privileged accounts.
Module 07 — Audit
Reading Audit Logs
The Audit section provides a complete, tamper-evident log of all template changes, launcher modifications, and user actions within Secret Server. Logs are timestamped in UTC.
What the Audit Log Captures
Every meaningful action in Delinea is logged: template edits, launcher additions/removals, launcher mapping changes, user logins, secret views, and policy changes — all tied to a specific user and IP address.
Sample Audit Log Entries
| Date / Time (UTC) | User | Action | Template | Notes |
|---|---|---|---|---|
| 2024-11-14 09:32:41 | ziedgormazi | EDIT | PostgreSQL account | Launcher mapping edited |
| 2024-11-14 09:28:15 | ziedgormazi | EDIT | pgadmin | Launcher added |
| 2024-11-13 16:45:02 | clouadmin | EDIT | Active Directory Account | Launcher removed |
📋 Accessing the Audit Section
Navigate to Templates Settings → Audit. The audit log displays up to 127+ records per page with filterable columns for date, user, action, template, and IP address. All times are displayed in UTC.
🔍 Filtering and Searching Logs
Use the column header filters to narrow log entries by date range, specific user, action type (EDIT, CREATE, DELETE), or template name. This helps quickly identify the source of a configuration change during an incident review.
📤 Exporting Audit Records
Audit records can be exported for compliance reporting or external SIEM ingestion. The export function generates a CSV-format file of the displayed records, preserving all fields including IP addresses and action notes.
Regularly reviewing audit logs — especially EDIT actions on high-value templates like Active Directory — is a recommended security practice for detecting unauthorized template modifications.
Module 08 — Session Recording
Configuring Session Recording
Session Recording captures and stores video-like records of privileged sessions launched through Delinea, supporting compliance, forensics, and insider threat detection.
1
Access Session Recording Settings
From the Credential Manager panel, scroll to the Session Recording section and click the configuration link. This opens the session recording policy interface.
2
Enable Session Recording
Toggle the Enable Recording option. Once enabled, all sessions launched using launchers associated with recording-enabled secrets will be captured automatically.
3
Set Retention Period
Define how long recordings are retained before automatic deletion. Balance storage costs against compliance requirements — regulations like PCI-DSS and HIPAA may mandate minimum retention periods.
4
Define Access Levels
Configure which roles can view recordings. Restrict playback to security auditors and compliance officers to minimize the risk of credential information being exposed through recordings.
⚠ User Management & Permissions
The Session Recording section links to User Management and Permission Management — where you can assign roles, enable/disable accounts, and manage access groups. Always ensure only authorized personnel have playback access to session recordings, as they may contain sensitive authentication data.
Session recording enforcement can also be configured through a Secret Policy — apply the "Session Recording" policy to all secrets in a folder to automatically enforce recording for every privileged access session.
Module 09 — Admin Mode
Unlimited Admin Mode
Unlimited Admin Mode grants an administrator temporary elevated access to all secrets in the vault, bypassing normal permission restrictions. Every activation is fully audited.
⚠ Use with Extreme Caution
Unlimited Admin Mode should only be activated for legitimate break-glass scenarios — system recovery, incident response, or critical configuration tasks. Every activation is logged with a mandatory note and is visible in the audit trail.
Activating Unlimited Admin Mode
1
Navigate to Unlimited Admin Mode Settings
Find the Unlimited Admin Mode setting within the Administration section. This requires top-level administrative privileges.
2
Check the Activation Checkbox
Enable the checkbox to activate Unlimited Admin Mode. A mandatory notes field will appear — you must document the business justification before the mode can be saved.
3
Enter Justification Note
Write a clear, concise justification (e.g., "Emergency access required for incident response — INC-2847"). This note is permanently stored in the audit log.
4
Save and Disable When Done
Complete your administrative task, then immediately return and disable Unlimited Admin Mode. Leaving it active indefinitely is a security risk. The disable action is also logged.
Audit Log — Admin Mode History
| Date (UTC) | User | Action | Note |
|---|---|---|---|
| 2024-11-05 14:22 | clouadmin | ENABLED | Administrator work |
| 2024-11-05 14:45 | clouadmin | DISABLED | Task completed |
| 2024-10-28 09:11 | clouadmin | ENABLED | Test |
The audit log for Unlimited Admin Mode retains a full history of all 13+ enable/disable events. This log cannot be modified or deleted by any user, ensuring accountability for all elevated access events.
Module 10 — Assessment
Knowledge Check
Test your understanding of Delinea Credential Manager. Answer all questions to complete the training.
// Question 1 of 5
What is the correct navigation path to access Delinea Credential Manager?
// Question 2 of 5
How many default Secret Templates does Delinea Secret Server include?
// Question 3 of 5
What happens to existing secrets when you disable a Secret Template?
// Question 4 of 5
Which of the following is a best practice when using Unlimited Admin Mode?
// Question 5 of 5
What must you provide when creating a custom Password Requirement in Delinea?