Customizing Roles For Your Company – Part Two

31 05 2013

In Part One of this two-part series we discussed setting custom Roles inside of Secret Server. In this section we will discuss the three ways to set Permissions on Secrets within Secret Server.

Roles give a user the ability to perform actions inside Secret Server, whereas Permissions dictate the level of control a user has within Secret Server. There are three Permissions within Secret Server:

  1. View, which allows a user to see a Secret/Folder.
  2. Edit, which allows a user to change Secret/Folder information.
  3. Owner, the highest level of control which grants a user the ability to change advanced security settings for a Secret/Folder.

Permissions can be bulk-assigned by Folder. By default Secrets inherit the Permissions of the Folder where it is created. This set up requires two steps. First, create a folder structure that is separated by Permission level. Typically, this would follow your company’s team structure. For example, you could configure folders in the hierarchy:

  • IT Management Team
    • Server Admins
      • Server Admins
  • Finance Management Team
    • Staff Accountants
      • Book Keepers

Second, assign Permissions to each folder based on the users that need access to that information. Now, when a Secret is created inside a folder it will automatically be assigned the Permissions of that Folder.

Permissions can be individually assigned to specific Secrets. When setting up Permissions in this way, Folders are used primarily as an organization tool and typically are named in a much more general manner, such as:

  • Servers
    • Windows Servers
    • LINUX / UNIX
    • Apache
  • Databases
    • MS SQL
    • MySQL
    • Oracle

When assigning Permissions to individual Secrets, the Secret will not inherit Folder Permissions and can be placed in a Folder alongside Secrets that have different levels of Permissions. To ensure Secrets do not inherit Permissions from the Folder, update your product settings by going to Administration > Configuration and setting the Default Secret Permissions to “Only Creator Has Permissions to New Secrets”.

Permissions can be bulk AND individually assigned. It is also possible to set up Secret Permissions through a combination of the options above. In this case, you would use the Folder to push Permissions to the Secrets through inheritance when a Secret is created. Once this is complete, Secrets do not have to stay within that Folder. Inheritance can be turned off for individual Secrets afterward to allow assignment of custom Permissions.

Customizing Roles For Your Company – Part One

10 05 2013

Secret Server uses Roles and Permissions to control access to various capabilities within the system.

In this two part blog post we will review how to set up customized roles and permissions to meet your company’s security policy.

Roles in Secret Server control what a user is allowed to do in the tool. Secret Server ships with three default Roles:
1. Administrator, which has the ability to perform any task.
2. User, which allows basic functions such as create, edit and viewing of Secrets.
3. Read Only User, which only allows a user to view Secrets and Audit Reports without edit capabilities.
Although Secret Server can be used right out of the box with these default Roles, each company should personalize the Roles to fit individual company needs.


The default Roles can be edited and new Roles can also be created. For example, administration tasks can be delegated to different Administrators without giving them full control of the system (for example: Backup Administrator, Secret Template Administrator, Role Administrator and so on). An Auditor Role can also be created to give a user limited access to the system – such as to view Reports and to check compliance settings without having access to sensitive information. For more information on Roles, see our Secret Server Best Practices Guide (requires valid support).

Auditor Role

In the next part of this post we will go over how to set up permissions to control access to Secrets and Folders.

Inheriting Permissions Based on Folders

29 07 2011

Inheriting Permissions based on Folders

It is possible for Secrets in Secret Server to inherit permissions from the folder where they are placed. For example, if you install a new managed switch in your network, instead of setting an Active Directory group or users for every network-based Secret, you set the Active Directory group or individual user accounts to the folder. That way, when an admin enters a new Secret into Secret Server they don’t have to worry about selecting all the people that need access. Instead, they can place it into the correct folder that already has the correct permission level. Not only does it save time, but it also ensures that everyone who needs access to a Secret has it.

Adding Permissions to a folder
First, move your mouse to the Administration tab, then select Folders.

Then select the folder you want to edit permissions on, select edit

From here you can add Active Directory groups and individual Secret Server users. They will have access to any Secret that inherits permissions with the level you select.

Having a Secret Inherit Permissions From a Folder

Click to expand the Secret, and then select view.

Now, select share.

From here, select edit.

Finally, check the “Inherit Permissions from folder” box.

That’s it! Now any user in the Active Directory group or one you manually added to the folder permissions will have access. You can also turn on this behavior by default with the “Default Secrets Inherit Permissions” setting on the configuration page. It is important to note that a user with folder-based permissions will have that level of access to any Secret in the folder .


Get every new post delivered to your Inbox.

Join 30 other followers