Delinea Platform Architecture for MSPs
Understand how the Delinea Platform is structured and why it was built for multi-tenant delivery
The Delinea Platform is a cloud-native, API-first Privileged Access Management suite that consolidates Secret Server, Privilege Manager, DevOps Secrets Vault, and Delinea Cloud under a unified control plane. For MSPs, the architecture choice between Cloud-hosted, self-hosted, and hybrid deployments directly determines your operational cost, scalability ceiling, and SLA capacity.
Delinea Cloud (SaaS)
Fastest path to multi-tenant delivery. Delinea manages infrastructure; you manage tenants. Best for MSPs onboarding 3+ clients per quarter. Auto-scaling included.
Self-Hosted Secret Server
Maximum control and compliance isolation. Required for clients in regulated industries. Higher OpEx but enables dedicated infrastructure per client.
Hybrid Deployment
Cloud control plane with on-premises agents (Distributed Engine). Ideal for clients that can't move secrets off-premises but want cloud-managed workflows.
API-First Architecture
All Delinea capabilities are exposed via REST API. Enables PSA integration (ConnectWise, Autotask), SIEM forwarding, and automated client provisioning pipelines.
For net-new MSP programs, Delinea Cloud is the recommended starting point. It eliminates infrastructure management overhead and allows you to charge per-seat without capital investment. Self-hosted becomes compelling when you have 1+ enterprise clients requiring dedicated instance isolation or sovereign data residency.
Core Platform Components
Multi-Tenancy Model in Delinea
How to structure a single Delinea instance to serve multiple clients with full data isolation
Delinea's multi-tenancy for MSPs is primarily delivered through organizational hierarchy, folder structure, and RBAC policies within a shared Secret Server instance — or via dedicated instances per client when hard isolation is contractually required.
Each client gets their own Secret Server instance (cloud-hosted by Delinea or self-hosted by the MSP). Maximum isolation — no shared compute, storage, or session data. Recommended for enterprise, healthcare, finance, or government clients.
- ✓ Zero risk of cross-client data exposure
- ✓ Per-client version control and maintenance windows
- ✓ Independent backup and DR schedule
- ✗ Higher licensing and infrastructure cost — pass-through billing recommended
MSP manages a shared cloud instance for SMB clients while running dedicated instances for enterprise accounts that require contractual isolation. Use a consistent naming convention and CMDB tagging to manage instance sprawl.
Hybrid models increase operational complexity. Document your instance registry and enforce a templated onboarding process to prevent configuration drift between client environments.
RBAC Architecture for Multi-Tenancy
Delinea's role system allows you to create client-scoped roles with precisely bounded permissions. The recommended MSP pattern uses four standard roles per client tenant:
| Role Name | Assigned To | Key Permissions | Client Visibility |
|---|---|---|---|
| MSP_Admin_{ClientID} | MSP Engineer | Full CRUD on client folder, manage policies | MSP Only |
| Client_SecretViewer | Client IT Lead | View own secrets, no cross-folder access | Client Portal |
| Client_Operator | Client Admin | Check out credentials, launch sessions | Client Portal |
| MSP_ReadOnly_Audit | MSP Compliance | Read all logs, generate reports, no secret access | Audit Only |
Segregating Client Secrets & Sessions
Technical controls to ensure zero cross-client visibility for secrets, sessions, and audit trails
Secret and session segregation is both a contractual obligation and a security control. In a shared Delinea instance, you must ensure that Client A can never view, access, or reference anything belonging to Client B — including audit logs, session recordings, and secret metadata.
Secret segregation relies on Delinea's Folder Permission Model. Configure these controls for every client tenant at provisioning time:
Session recording data must be stored and accessed in a client-isolated manner. Delinea stores session recordings as encrypted artifacts associated with the originating secret — which is itself folder-scoped.
Audit logs in Delinea are scoped to the objects (secrets, folders, users) they relate to. MSPs can filter and export per-client audit data using folder-based filters and the REST API.
Schedule a nightly audit export job via the Delinea REST API for each client tenant. Pipe results to your PSA or SIEM (e.g. Splunk, Sentinel) tagged with client_id for isolated dashboards and alerting.
MSP Licensing Considerations
Delinea's MSP licensing model, cost structures, and margin optimization strategies
Delinea offers a dedicated MSP Partner Program with licensing structures designed for multi-client managed delivery. Understanding the difference between user-based, node-based, and bundled licensing is critical to building a profitable service margin.
User-Based Licensing
Licensed per privileged user (anyone who checks out a secret or launches a session). Best margin model for SMB clients where user count is predictable. Pool licenses across clients on shared instances.
Node/Endpoint Licensing
Privilege Manager licenses per managed endpoint. Scales with client endpoint count, not user count. Predictable for infrastructure-heavy clients.
MSP Aggregate Licensing
Delinea can offer an aggregate license pool for MSP partners — purchase a block of seats and distribute across clients. Typically unlocks 20-40% volume discount.
Pass-Through vs. Bundled Billing
You can pass license costs directly to clients at markup, or bundle licensing into flat-fee service tiers. Bundled tiers increase predictability; pass-through maintains flexibility.
Licensing Considerations Checklist
Never share a single Delinea license key across legally distinct client entities if your MSP agreement requires tenant-level license accountability. Verify your agreement with Delinea's legal team before pooling licenses across clients with individual compliance obligations.
Standardized PAM Onboarding Process
A repeatable, documented runbook for onboarding new clients to your PAM managed service
Consistency is the foundation of a scalable MSP practice. A standardized onboarding process reduces time-to-value for clients, minimizes engineer variability, and enables you to delegate onboarding tasks to junior staff. The goal is a sub-5-day full onboarding for SMB clients with under 500 endpoints.
Objective: Collect all data needed to configure the tenant without revisiting the client.
Objective: Create the tenant in Delinea, configure folder structure, and set up RBAC.
Objective: Connect Delinea to the client's environment for live discovery and access.
Objective: Populate the vault with initial credentials and configure rotation schedules.
Objective: Transition client to steady-state managed service and activate SLA.
Service Catalog & Billable Tiers
Packaging Delinea capabilities into structured, sellable managed security service offerings
The most successful MSP PAM programs use a 3-tier service model: an Essential foundational tier, an Advanced operational tier, and an Elite compliance/enterprise tier. Each tier builds on the previous and maps directly to Delinea features and license SKUs, making upsell conversations concrete and outcome-driven.
| Capability / Feature | Essential | Advanced | Elite |
|---|---|---|---|
| Privileged Credential Vaulting (Secret Server) | ✓ Included | ✓ Included | ✓ Included |
| Automated Password Rotation | ✓ Included | ✓ Included | ✓ Included |
| Session Launch (RDP/SSH via launcher) | ✓ Included | ✓ Included | ✓ Included |
| Session Recording & Playback | — Not Included | ✓ Included | ✓ Included |
| Active Directory Discovery & Import | — Not Included | ✓ Included | ✓ Included |
| Access Request & Approval Workflows | — Not Included | ✓ Included | ✓ Included |
| Endpoint Privilege Management (PM Agent) | — Not Included | ✓ Included | ✓ Included |
| SIEM Integration (Syslog / API forwarding) | — Not Included | Add-On | ✓ Included |
| Compliance Reporting (SOC2 / HIPAA / PCI) | — Not Included | Add-On | ✓ Included |
| DevOps Secrets Vault (DSV) | — Not Included | — Not Included | ✓ Included |
| Dedicated Instance (Hard Tenant Isolation) | — Not Included | — Not Included | ✓ Included |
| Monthly Executive Security Report | — Not Included | ✓ Included | ✓ Included |
| Quarterly Business Review (QBR) | — Not Included | — Not Included | ✓ Included |
| Suggested Price / User / Month | $18 – $25 | $35 – $55 | $65 – $95+ |
| Minimum Seat Count | 10 users | 20 users | 50 users |
Lead clients on Essential for the first 3 months to establish baseline value (rotation events, secrets vaulted). Use the Month-3 QBR to present session recording ROI data and compliance risk scores — these drive 70%+ of Advanced upgrades organically.
Add-On Services (Billable Separately)
PAM Health Assessment
One-time 3-day engagement to audit a client's existing PAM posture, identify credential sprawl, and deliver a prioritized remediation roadmap. Suggested: $3,500 – $6,000
Compliance Evidence Package
Quarterly extraction and formatting of PAM audit evidence mapped to specific compliance frameworks. Suggested: $500 – $1,200/quarter
Emergency Secret Rotation
Rapid response credential rotation for breach events or suspected credential compromise. Suggested: $750 – $2,000/event
DevOps Pipeline Integration
Scoping and implementation of DSV integration into CI/CD pipelines. Suggested: $2,000 – $5,000/engagement
Client Reporting Template
A standardized monthly executive report structure for managed PAM service delivery
Consistent, branded client reports are a key retention tool for MSP PAM programs. They quantify your value, surface risk trends, and create natural upsell touchpoints. The template below reflects a monthly cadence report for clients on the Advanced or Elite tier.
Send the report on the 1st business day of the month covering the prior month. Include a 3-sentence executive summary at the top written in plain language — your primary audience is often a non-technical business owner, not the IT team.
January 2025
1. Onboard 5 unmanaged local admin accounts discovered Jan 28 to bring total under management. Estimated 1-hour effort. Recommend scheduling this week.
2. After-hours access trending up 55%. Consider enabling Access Request workflows for domain admin accounts to require business justification. Available on your current tier.
3. Upgrade to Elite tier recommended for session recording of all RDP sessions (currently recording only domain admin sessions) to meet your upcoming SOC 2 audit scope.
Generate the KPI data automatically using the Delinea REST API export + your PSA's reporting engine. Map Secret Count, Session Count, and Rotation Success/Failure directly from API response fields. After-hours analysis requires a post-processing step on the audit log timestamps against business hours defined per client timezone.