PROGRESS
0%
Module 01 โ€” Foundation

Folder Permissions
in Secret Server

Delinea Secret Server uses a layered permissions model to control who can see, use, and manage secrets. Understanding how groups, roles, and explicit folder permissions interact is essential for secure and efficient PAM administration.

๐Ÿ—๏ธ The Permission Hierarchy CORE CONCEPT

Secret Server permissions work in three tiers: Roles define what actions users can take system-wide. Groups organize users for easier management. Folder permissions control access to specific folders and the secrets within them.

๐Ÿ“‚ What Are Folders?

Folders are the primary organisational containers in Secret Server. They store secrets and inherit a tree structure. Permissions applied to a folder can propagate down to all child folders and secrets โ€” unless explicitly overridden.

๐ŸŽฏ What You'll Learn

By completing this training you will be able to:

โœ“ Create and manage user groups for access control
โœ“ Assign system roles and understand their permissions
โœ“ Configure folder-level permissions and access levels
โœ“ Manage permission inheritance and explicit overrides
โ„น๏ธ Prerequisites: This guide assumes you have administrator or system administrator access to a Delinea Secret Server instance. Screenshots and steps reference Secret Server version 11.x and later.
Module 02 โ€” Identity

Managing Groups

Groups are collections of users that simplify permission management. Instead of assigning permissions to individual users on every folder, you assign them once to a group โ€” and all members inherit those rights.

๐Ÿ” Group Types IMPORTANT

Secret Server supports two group sources:

Local Groups
Created and managed entirely within Secret Server. Ideal for PAM-specific groupings that don't mirror your directory structure.
Directory Groups (AD/LDAP)
Synchronised from Active Directory or LDAP. Membership is controlled externally and synced on a schedule or on-demand.
๐Ÿ“‹ Creating a Local Group
  1. 1

    Navigate to Administration

    From the top menu, go to Admin โ†’ Groups. You'll see the Groups management page with all existing groups listed.

  2. 2

    Create New Group

    Click + Create Group. Enter a meaningful name (e.g., SEC-Ops-Team) and an optional description. Keep naming consistent across your environment.

  3. 3

    Add Members

    On the Group detail page, select Members โ†’ Add Members. Search by username and add the appropriate users. You can add both local and directory users.

  4. 4

    Assign a Role (Optional)

    Navigate to the Roles tab on the group. Assign a system role to give all group members a baseline set of permissions. See the Roles module for details.

  5. 5

    Save the Group

    Click Save. The group is now available to be assigned to folder permissions throughout your Secret Server instance.

โš ๏ธ AD Sync timing: Directory groups sync on a configured schedule (default: every 15 minutes). After adding a user to an AD group, Secret Server permissions may not reflect immediately. Trigger a manual sync via Admin โ†’ Directory Services โ†’ Sync Now if needed.
Module 03 โ€” Authorization

Roles & System Permissions

Roles control what users can do in Secret Server at the system level โ€” independent of folder-level access. A user may have a role that allows them to create folders, but they still need explicit folder permissions to access secrets inside one.

๐ŸŽญ Built-in System Roles
๐Ÿ›ก๏ธ System Administrator โš™๏ธ Administrator ๐Ÿ‘๏ธ Auditor ๐Ÿ‘ค User ๐Ÿ“‹ Read Only
Role Create Folders Manage Users View Audit Logs Access All Secrets
System Administrator โœ“ Yes โœ“ Yes โœ“ Yes โœ“ Yes
Administrator โœ“ Yes Limited View Only โœ— No
Auditor โœ— No โœ— No โœ“ Yes โœ— No
User Config. โœ— No โœ— No โœ— No
Read Only โœ— No โœ— No โœ— No โœ— No
๐Ÿ”ง Creating Custom Roles

Custom roles allow fine-grained control. Navigate to Admin โ†’ Roles โ†’ Create Role.

  1. 1

    Name the Role

    Provide a clear, descriptive name. Use a naming convention such as ROLE_DEPT_Function to maintain consistency.

  2. 2

    Select Role Permissions

    Tick the system-level permissions required. Common ones include: View Users, Add Secret, Delete Secret, Administer Folders, View Audit Log, View Remote Password Changing.

  3. 3

    Assign to Groups or Users

    Roles can be assigned to individual users or to groups. Assigning via groups is the recommended approach โ€” it scales better and is easier to audit.

๐Ÿ’ก Roles vs Folder Permissions: Roles define system capabilities (what the user can do). Folder permissions define what data they can access. A user needs BOTH an appropriate role AND folder access to work effectively with secrets.
Module 04 โ€” Access Control

Folder Permission Levels

Folder permissions determine exactly what a user or group can do within a specific folder and its contents. Secret Server provides four distinct permission levels for folders.

๐Ÿ‘๏ธ View VIEW

Users can see the folder and its secrets in the tree, and view secret metadata (name, template, last modified). They cannot view the actual secret values unless the secret template also grants access.

โœ๏ธ Edit EDIT

Includes all View permissions, plus the ability to add, modify, and move secrets within the folder. Users can edit secret values and create new secrets. They cannot delete secrets or change folder permissions.

๐Ÿ‘‘ Owner OWNER

Full control. Includes View + Edit, plus the ability to delete secrets, modify folder permissions, add sub-folders, and rename or delete the folder itself. Assign this level sparingly.

๐Ÿšซ No Access (Explicit Deny) DENY

Overrides any inherited permissions. If a user's group has View access but they are explicitly denied, they will see nothing. Use this to exclude specific users from inherited group access.

โš™๏ธ Assigning Folder Permissions
  1. 1

    Open Folder Settings

    In the Secret Server tree, right-click the folder and select Edit Folder, or click the โš™๏ธ icon next to the folder name. Navigate to the Folder Permissions tab.

  2. 2

    Add a User or Group

    Click + Add. In the search box, type the name of a user, group, or role. Select the appropriate entry from the dropdown results.

  3. 3

    Set the Permission Level

    From the permission dropdown, choose View, Edit, or Owner. Consider using groups rather than individual users for maintainability.

  4. 4

    Configure Inheritance

    Decide whether to Inherit Permissions from the parent folder (default) or break inheritance and set explicit permissions. This is covered in detail in the Inheritance module.

  5. 5

    Apply to Sub-folders and Secrets

    If desired, tick Apply to Sub-Folders and Apply to Secrets to propagate the permission change down the hierarchy. This is a one-time push โ€” future changes won't auto-propagate unless inheritance is enabled.

โš ๏ธ "Apply to Secrets" is not the same as inheritance. Clicking "Apply to Secrets" is a bulk-assignment of the current folder permissions to all existing secrets. New secrets created in the folder still inherit from it automatically. This option is useful when you change a folder's permissions and want all existing secrets to match.
Module 05 โ€” Propagation

Permission Inheritance

Inheritance allows child folders and secrets to automatically receive the permissions of their parent. This reduces administrative overhead but requires careful planning to avoid unintended access.

๐ŸŒฒ How Inheritance Works

By default, every new sub-folder and secret inherits its parent folder's permissions. The permission chain flows from the root folder downward:

๐Ÿ“‚ Root Folder Owner: Admins
inherits โ†“
๐Ÿ“ IT Department Inherited
inherits โ†“
๐Ÿ“ Windows Servers Inherited
inherits โ†“
๐Ÿ”‘ DC01 Local Admin Inherited
โœ‚๏ธ Breaking Inheritance

When a folder or secret requires different permissions from its parent, you break inheritance and set explicit permissions. This creates an isolated permission boundary.

๐Ÿ“‚ IT Department View: All Staff
inherits โ†“
๐Ÿ“ Windows Servers Inherited
breaks โ†’
๐Ÿ“ PAM Break-Glass Explicit Only
inherits โ†“ (from new parent)
๐Ÿ”‘ Emergency Admin Creds From PAM Break-Glass
๐Ÿ“‹ Steps to Break Inheritance
  1. 1

    Open Folder Permissions

    Navigate to the folder, open Edit Folder โ†’ Folder Permissions.

  2. 2

    Disable Inheritance

    Uncheck "Inherit permissions from parent folder". A warning will appear โ€” confirm you want to break inheritance. The folder will now show only explicitly assigned permissions.

  3. 3

    Add Explicit Permissions

    After breaking inheritance, immediately add the required permissions. Failing to add at least one Owner may lock everyone out of the folder.

  4. 4

    Review Sub-folders

    Sub-folders that previously inherited from this folder will now inherit your new explicit permissions. If they need different permissions, repeat the process for each sub-folder.

๐Ÿšจ Don't lock yourself out! When breaking inheritance, always ensure at least one System Administrator or your own account has Owner permissions on the folder before saving. Secret Server will warn you, but it's possible to create inaccessible folders if you're not careful.
Module 06 โ€” Precision Control

Explicit Permissions

Explicit permissions let you assign specific access rights directly to a folder, group, user, or secret โ€” overriding what would otherwise be inherited from the parent. They are the most granular layer of the permissions model.

โœ… When to Use Explicit Permissions

โ€ข A team needs access to one sub-folder but not its siblings
โ€ข A contractor needs temporary View access to specific secrets
โ€ข A break-glass folder needs tighter access than its parent
โ€ข An individual needs elevated access beyond their group's level

โŒ When NOT to Over-Use Explicit Permissions

โ€ข As a substitute for proper group management
โ€ข When inheritance achieves the same outcome
โ€ข On every individual secret (creates audit/management burden)
โ€ข Without documentation of why the exception exists

๐Ÿ” Explicit vs Inherited โ€” Visual Comparison
Attribute Inherited Permission Explicit Permission
Source Parent folder Directly assigned
Persistence Updates when parent changes Static โ€” does not change with parent
Priority Lower Higher (overrides inherited)
Maintenance Automatic Manual โ€” must be reviewed regularly
Audit Visibility Shown as "Inherited" Shown as "Explicit" โ€” easier to spot
โš™๏ธ Setting an Explicit Secret Permission

Secrets have their own permission settings separate from the folder. To set permissions directly on a secret:

  1. 1

    Open the Secret

    Navigate to the secret and click into it. Then go to Security โ†’ Permissions tab.

  2. 2

    Break Inheritance (if needed)

    The secret shows permissions inherited from its folder. Uncheck "Inherit permissions from folder" to enable explicit secret-level permissions.

  3. 3

    Add or Remove Principals

    Add users, groups, or roles with specific permission levels (View / Edit / Owner). The secret-level permissions now take full effect.

  4. 4

    Document the Exception

    In the secret's Notes field or via your ITSM, record why the explicit permission was set, who approved it, and when it should be reviewed.

๐Ÿ’ก Tip: Secret Server's Permission Report (Admin โ†’ Reports โ†’ Folder Permissions) gives you a consolidated view of all explicit permissions across your folder tree. Run this regularly as part of access reviews.
Module 07 โ€” Hands-On

Interactive Permission Lab

Explore how permissions interact by clicking a folder in the tree and assigning permissions. See how inheritance and explicit settings affect the effective access.

Secret Server โ€” Folder Permission Simulator
FOLDER TREE โ€” click to select
๐Ÿ“‚ Root Root
๐Ÿ“ IT Department Inherited
๐Ÿ“ Windows Servers Inherited
๐Ÿ“ Network Devices Inherited
๐Ÿ“ Break-Glass Explicit
๐Ÿ“ HR Systems Inherited
EFFECTIVE PERMISSIONS
๐Ÿ“‚ Root
ADD PERMISSION
Module 08 โ€” Guidance

Best Practices

Following these proven practices will keep your Secret Server environment secure, auditable, and easy to manage as your organisation grows.

  • ๐Ÿ—๏ธ
    Design your folder hierarchy before assigning permissions Plan a folder structure that mirrors your organisational or functional boundaries. Permissions flow downward, so a well-designed tree reduces the number of explicit overrides needed. Common structures: by department, by technology, by environment (Prod/Dev/Test).
  • ๐Ÿ‘ฅ
    Always assign permissions to groups, never individuals User-based permissions become unmanageable at scale. When someone leaves or changes roles, group membership changes automatically propagate. Reserve user-level assignments for temporary exceptions, and document them.
  • ๐Ÿ”’
    Apply least-privilege: start with View, escalate as needed Grant View access by default. Only elevate to Edit or Owner when there is a clear business requirement. Periodically review Owner-level assignments โ€” these should be kept to a minimum.
  • โœ‚๏ธ
    Break inheritance sparingly and document every exception Each inheritance break creates a separate permission island that must be maintained independently. Every break-glass folder or exception should have a ticket reference and a review date in its notes or description.
  • ๐Ÿ“‹
    Run access reviews quarterly Use Admin โ†’ Reports โ†’ Folder/Secret Permissions and Admin โ†’ Reports โ†’ User Access to generate permission reports. Validate active users still require their access level. Remove stale permissions promptly.
  • ๐Ÿ”„
    Sync Active Directory groups regularly If using AD groups, ensure sync intervals are appropriate (15 minutes is typically fine; reduce for highly sensitive folders). Monitor sync health under Admin โ†’ Directory Services.
  • ๐Ÿ›ก๏ธ
    Protect break-glass folders with dual approvals and alerting Any folder containing emergency credentials should require approval workflows and send real-time alerts on access. Configure this under the folder's Security โ†’ Requires Approval and the Event Subscription engine.
  • ๐Ÿ“
    Maintain a permissions runbook Document your group naming conventions, folder structure rationale, role assignments, and explicit permission exceptions in a runbook stored outside Secret Server. This is essential for onboarding new admins and for disaster recovery.
Module 09 โ€” Assessment

Knowledge Check

Test your understanding of Secret Server folder permissions. Answer all questions to complete your training.